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Abstract 



Quantum key distribution allows two parties connected by a quantum 
channel to establish a secret key that is unknown to any unauthorized 
third party The secrecy of this key is based on the laws of quantum 
physics. For security, however, it is crucial that the honest parties are 
able to control their physical devices accurately and completely. The goal 
of device-independent quantum key distribution is to remove this require- 
ment and base security only on the (observable) behaviour of the devices, 
i.e., the probabilities of the measurement results given the choice of meas- 
urement. 

In this thesis, we study two approaches to achieve device-independent 
quantum key distribution: in the first approach, the adversary can distrib- 
ute any system to the honest parties that cannot be used to communicate 
between the three of them, i.e., it must be non-signalling. This constraint 
is strictly weaker than the ones imposed by quantum physics, i.e., the ad- 
versary is strictly stronger. Security can then be concluded only based on 
the observed correlations. In the second approach, we limit the adversary 
to strategies which can be implemented using quantum physics. More 
precisely, we demand that the behaviour of the system shared between 
the honest parties and the adversary can be obtained by measuring some 
kind of entangled quantum state. Security is then based on the laws of 
quantum physics, but it does not rely on the exact details of the physical 
systems and devices used to create the observed correlations. In partic- 
ular, it is independent of the dimension of the Hilbert space describing 
them. 

For both approaches, we show how device-independent quantum key 
distribution can be achieved when imposing an additional condition. In 
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the non-signalling case this additional requirement is that communica- 
tion by means of the quantum system is impossible between all subsys- 
tems, while, in the quantum case, we demand that measurements on 
different subsystems must commute. We give a generic security proof 
for device-independent quantum key distribution in these cases and ap- 
ply it to an explicit quantum key distribution protocol, thus proving its 
security. We also show that, without any additional such requirement 
there exist means of non-signalling adversaries to attack several systems 
jointly. Some extra constraints are, hence, necessary for efficient device- 
independent secrecy. 
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Zusammenfassung 



Quanten-Schlilsselverteilung erlaubt zwei durch einen Quantenkanal ver- 
bundenen Parteien einen Schlussel zu erzeugen, der vor jeder unberech- 
tigten Drittpartei geheim ist. Die Sicherheit dieses Schliissels basiert auf 
den Gesetzen der Quantenphysik. Sie kann aber nur garantiert werden, 
wenn die ehrlichen Parteien die physikalischen Apparate genau und voll- 
standig kontrollieren konnen. Das Ziel gerateunabhtingiger Quanten- 
Schlusselverteilung ist, diese Bedingung zu lockern, und die Sicherheit 
nur auf das (testbare) Verhalten der Apparate zu basieren, genauer ge- 
sagt, auf die Wahrscheinlichkeiten von Messresultaten, gegeben die Wahl 
einer bestimmten Messung. 

In dieser Arbeit betrachten wir zwei mogliche Vorgehensweisen um gera- 
teunabhangige Quanten-Schliisselverteilung zu erreichen: in der ersten 
kann der Gegner den ehrlichen Parteien jede beliebige Art von Syste- 
men zukommen lassen, die nicht zur Kommunikation verwendet werden 
kann. Diese Bedingung ist strikte schwacher als diejenigen, die durch die 
Quantenphysik vorgegeben sind, der tolerierte Gegner ist also starkerer. 
Sicherheit wird in dieses Fall nur von den beobachteten Korrelationen her- 
geleitet. In der zweiten Vorgehensweise beschranken wir die moglichen 
Strategien des Gegners auf solche, die durch Quantensysteme implemen- 
tiert werden konnen. Genauer gesagt verlangen wir, dass das System der 
ehrlichen Parteien und des Gegners durch das Messen eines verschrank- 
ten Quantenzustandes erzeugt werden kann. Sicherheit beruht in diesem 
Fall auf den Gesetzen der Quantenphysik, ist aber unabhangig von den 
Details der physikalischen Systemen und der Apparate, mit Hilfe derer 
die Korrelationen zustande kamen. Insbesondere ist die Dimension des 
Hilbertraumes, der die Systeme beschreibt, beliebig. 
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Fur beide Vorgehensweisen zeigen wir, wie gerateunabhangige Quanten- 
Schliisselverteilung erreicht werden kann, falls noch eine weitere Bedin- 
gung eingehalten wird: fur den Fall, wo die Systeme nicht zur Kommu- 
nikation gebraucht werden konnen, entspricht diese der Vorgabe, dass 
Kommunikation auch zwischen Teilsystemen unmoglich ist; wahrend im 
quantenmechanischen Fall Messungen auf verschiedenen Teilsystemen 
kommutieren miissen. Wir geben in beiden Fallen einen allgemeinen Si- 
cherheitsbeweis fur gerateunabhangige Quanten-Schlusselverteilung 
und wenden diesen auf ein konkretes Protokoll an, von dem wir zeigen, 
dass es auch unter diesen schwachen Annahmen sicher ist. Wir zeigen 
weiter, dass ohne eine solche zusatzliche Bedingung gute Strategien exis- 
tieren, mit denen ein Gegner, der nur durch die Unmoglichkeit von Kom- 
munikation beschrankt ist, mehrere Systeme gemeinsam attackieren kann. 
Weitere Einschrankungen sind deshalb im Allgemeinen notwendig f iir ef- 
fiziente gerateunabhangige Sicherheit. 
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Chapter 1 

Introduction 



1.1 Quantum Key Distribution 

Key agreement is a protocol among two parties, Alice and Bob, to pro- 
duce local strings such that, ideally, both strings are equal and no ad- 
versary can get any information about this string by eavesdropping the 
protocol. This task can only be realized based on certain assumptions 
(such as assuming that computing power |DH76, RSA83] or memory 
IMau90B of the adversary are bounded) or the availability of resources 
(such as noisy channels |CK78|). Wiesner |Wie83| observed that a quan- 
tum channel can serve as such a resource in context of various crypto- 
graphic tasks. The reason is that a quantum channel obeys the uncer- 
tainty principle of quantum mechanics, which states that there exist cer- 
tain properties of quantum mechanical systems that cannot be known 
(exactly) simultaneously and that measuring one of them necessarily dis- 
turbs the other. Wiesner |Wie83J proposes a scheme for sending two 
messages 'either but not both of which may be receive and a way of 
making 'money that is physically impossible to counterfeit'. The idea 
of basing security on the laws of quantum physics was further developed 
and combined with ideas from public-key cryptography by Bennett, 
Brassard, Breidbart, and Wiesner [BBBW82J and finally made into a key- 

1 It later turned out that, unfortunately, the laws of quantum mechanics alone are not 
enough to achieve this functionality, called oblivious transfer (Lo97 Mav97j lLC97l . 
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distribution scheme by Bennett and Brassard [BB84|. 

Roughly, the BB84 key-distribution scheme [BB84J works as follows (see 
Figure [Tj}: Alice and Bob are connected by an (insecure) quantum chan- 
nel and a public but authenticated classical channel0 Alice encodes a bit 
by sending a photon that is polarized in the direction of either of two 
basis states. However, she chooses not only the value of the encoded bit 
at random, but also the encoding is done in either the horizontal or di- 
agonal basis Bob receives the photon, chooses one of the two bases at 
random and measures the polarization of the photon in this basis. They 
repeat this process several times, each time taking note of the basis and 
the encoded bit, or measurement result, respectively. Later, Alice uses the 
classical authenticated channel to tell Bob which basis she used to encode 
the bit. If Bob measured in the 'wrong' (i.e., other) basis, he obtained a 
random bit uncorrelated with what Alice sent. They discard exactly these 
bits. Wherever Bob measured in the same basis Alice used for the encod- 
ing, he should have received exactly the bit Alice had sent. Alice and 
Bob randomly select some of the bits and check this. If Bob received the 
correct bits, they use the remaining bits as a key. 

Why is this secure? Assume that Eve intercepts the quantum channel 
between Alice and Bob and measures the photon. Since she does not 
know the basis in which the bit was encoded, with probability 1/2, she 
measures in the wrong basis, in which case Bob's bit will be random even 
when he measures in the same basis Alice used for the encoding. These 
'errors' introduced by an eavesdropper will (with high probability) be no- 
ticed by Alice and Bob when they check their results and they will abort 
the protocol. 

Of course, however, Eve does not need to measure the photon going 
through the quantum channel, but she can do a more sophisticated attack. 
For example, she can entangle a system with the photon, store it, and delay 
her measurement until after Alice and Bob have revealed the basis used 
for the encoding. Indeed, it took several years until it was shown that 
the scheme remains secure in this case and a full security proof against 



2 An authenticated channel can be built from an insecure classical channel using a short 
key ]Sti91 GN93|. To account for the need of this initial key, quantum key distribution is 
sometimes called key expansion. 

3 Instead of photons, Alice could also use another two-level quantum system and for 
the encoding another set of two mutually unbiased bases, i.e., two bases where measuring a 
basis-state of one basis in the other basis gives a random outcome. 
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Figure 1.1: The | BB84J quantum key-distribution protocol. 



the most general attacks was made |May01tlLC99IIBBB+061ISP00llILM01l 



A further difficulty is that a physical implementation of the protocol will 
never be perfect and always contains noise. It is, therefore, necessary to 
allow for noisy channels and unreliable detectors in order to establish a 
key. It was also realized that the possibility of Eve delaying her measure- 
ment until the key is actually used in an application could pose a serious 
problem. The definition of secrecy of a key needs to be made carefully 
to hold in this situation [KRBM07|. Meanwhile, these issues have been 
considered in the security proofs and it can be shown that quantum key 
distribution remains secure despite of them IRen05l . 

Some years after Bennett and Brassard, Ekert IEke911 proposed a quan- 
tum key distribution protocol the security of which is based on a different 
property of quantum physics: the monogamy of entanglement. In fact, 
two quantum systems which are strongly entangled (correlated) can at 
most be weakly entangled with a third system |Ter04|. The idea of Ekert's 
protocol is the following (see Figure [L2)l : Alice prepares two photons^in 
an entangled quantum state, more precisely the singlet state, i.e., I^ - ) = 



4 The original protocol |Eke91 [ uses spin-(l/2) particles. For simplicity, we stick with the 
formulation in terms of photons. 
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(|01) - |10))/a/2. She sends one of the two particles to Bob. They both 
measure their particle in a basis chosen at random. Alice chooses from 
a basis rotated by an angle of 0, 7r/8, or 7r/4, Bob chooses from tv/8, 7r/4, 
and 3ir/8. She takes her outcome to be the measurement result, while he 
outputs the opposite of the measurement result. Note that the probability 
that Alice and Bob obtain the same outcome is cos 2 a when they measure 
in bases mutually enclosing an angle of a, i.e., for they obtain perfectly 
correlated outcomes and for ir/2 they obtain perfectly anti-correlated out- 
comes. After all measurements are completed, they compare their res- 
ults over the public authenticated channel and estimate the correlation 
of their outcomes given they measured in each possible combination of 
bases. They add the correlations for the bases pairs (0,7r/8), (7r/4,7r/8) 
and (7r/4, 37r/8) (where the first angle is associated with Alice and the 
second with Bob) and subtract the correlation of the bases (0, 3tt/8). When 
this value is 2y/2, they continue, otherwise they abortQ If they do not 
abort, they take exactly those outcomes as key where they measured in 
the same direction. The security of the protocol is based on the fact that 
a value of 2\/2 can only be reached by the singlet state and because this 
state is pure, the eavesdropper's system cannot be correlated with it. 

At first it seemed that Ekert's protocol relying on the monogamy of en- 
tanglement and Bennett and Brassard's protocol based on the uncertainty 
principle could be brought in a similar form [BBM92J. In both cases, the 
only property necessary for security seemed to be the fact that when Alice 
and Bob use bases pointing in the same direction, they obtain perfectly 
correlated outcomes. Indeed, a key distribution scheme of the type pre- 
pare and measure as the one of Bennett and Brassard, can usually be for- 
mulated in terms of an entanglement-based protocol, as the one of Ekert, 
by considering as state the superposition of the random choice of basis 
and encoded bit on Alice's side with the state corresponding to this ran- 
dom choice on Bob's side, i.e., the state = J2 r V-P( r ) \ r ) ® \<f>r)/ where 
r is the random value and \<fr r ) the state that is sent conditioned on r 
(see HRen05l for a more detailed explanation). Alice then measures (in the 
computational basis) to obtain the random value r, while Bob does the 
same as in the original protocol. 

However, after a more detailed investigation, it turned out that Ekert's 
protocol had an advantage over the BB84 protocol. Namely, in Ekert's pro- 



5 Note that this test corresponds to testing the value of the Bell inequality given in Sec- 
tion IZOl 
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Figure 1.2: Ekert's quantum key distribution protocol [Eke91J. The 
marked bits form the key. 



tocol the key bits do not have any associated 'element of reality' 
[Eke91J. This implies that the eavesdropper 'is in the hopeless position 
of trying to intercept non-existent information' [BBM92J. This property 
can be very useful to overcome attacks taking advantage of flaws in the 
physical implementation and to create a key distribution protocol with 
untrusted devices, as we will explain below. 



1.2 The Need for Device-Independence 

It had been discovered that quantum key-distribution protocols are vul- 
nerable to imperfections in the physical implementation in a way that 
an adversary could easily manipulate the apparatus such that the key- 
distribution scheme becomes completely insecure. 

Imagine, for example, that in the BB84 protocol, several photons are sent 
from Alice to Bob IBLMS0O. LutOOI . Eve could easily attack this system by 
storing some of the photons in a memory. Later, she can measure it in the 
basis announced by Alice and know the encoded bit with certainty. The 
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scheme, therefore, crucially relies on the source to emit single photons to 
be secure. In practice, on the other hand, the photons are usually emitted 
by a laser with a Poissonian photon-number distribution and these are 
neither theoretically nor practically a single-photon source. 

As a second possible way to attack the system, imagine that the devices 
encoding the bit and measuring the photon are faulty: Instead of encod- 
ing and measuring in two different bases chosen at random, they always 
use the same basis. The eavesdropper can measure the photon in this 
basis without disturbing it. She can learn the bit perfectly, but will remain 
completely unnoticed by Alice and Bob. 

The BB84 scheme is particularly vulnerable to the problem that the bit or 
basis might not only be encoded in the photon, but additionally in other 
carriers. This problem was already noticed when the BB84 protocol was 
implemented for the very first time ||BBB + 92| : The devices responsible for 
the choice of the polarization angle made a loud noise and this noise was 
different depending on the angle, such that the scheme could only reach 
security against a completely deaf eavesdropper IBra05l. 

In fact, in the security analysis of quantum key distribution, the dimen- 
sion of the systems, i.e., their Hilbert spaces, always enters into the cal- 
culations, both in the estimation of the entropy the adversary has about 
the raw key, as well as in the reduction of coherent to collective attacks 
(de Finetti theorem) [Ren05J. These security proofs, therefore, only hold 
when the dimension of the system is known, which cannot be assumed 
if the adversary can tamper with the devices. For the security proof of 
quantum key distribution, it is, therefore, assumed that the devices are 
trustworthy and work exactly as specified. 

This shows that even though quantum key distribution is often claimed to 
be unconditionally secure (meaning that it does not rely on computational 
hardness assumptions) it actually does make certain assumptions. The 
first of these assumptions — always present in key agreement — is, that 
Alice and Bob have secure laboratories. If the eavesdropper can look over 
Alice's shoulder when she is typing the key into her computer to use it 
for encryption, or if the physical device contains a transmitter sending all 
raw data to Eve, it is clear that no security is possible@ This assumption is 
crucial and cannot be removed. Even though it might seem clear that such 



6 In classical cryptography it has recently been investigated how to construct encryption 
schemes which are robust against (partial) leakage of the key | DHLAW10 BKKV10 1. 
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attacks need to be prevented somehow, this might not always be trivial in 
practice. There are examples of successful attacks where critical informa- 
tion about the key has been read from the screen via reflections |BDU08], 
from acoustic disk noise |ST04], protocol response time |Koc96, Ber05| or 
from the electromagnetic waves emitted by the screen |Kuh03|. In quan- 
tum key distribution, information about the raw key could be inferred 
from timing information exchanged over the public authenticated chan- 
nel IILLK07II . Alice and Bob, therefore, need to shield their laboratories 
securely. 

A further assumption usually present in quantum key distribution is that 
Alice and Bob have complete control over their physical devices (i.e., only 
the quantum channel is corrupted) and know their exact and complete spe- 
cification. For example, if the device is supposed to emit a single photon 
with an encoded bit, it cannot emit another particle where this bit is also 
encoded. We have argued above that a failure of this assumption can 
directly lead to possible attacks on the quantum key-distribution scheme. 
These attacks are not only theoretical constructions, but can be implemen- 
ted in practice and used to break even commercially available quantum 
key-distribution schemes IMak09l. 

Additionally, Alice and Bob need to be able to toss coins, i.e., have local 
trusted sources of randomness. In particular, it is important that they 
can choose their measurement bases at random and independent from 
the eavesdropper, and that they can choose random samples to test their 
systems. It is clear that if the eavesdropper could know beforehand, or 
even choose, the randomness used for either of these two processes, it 
would be easy to attack successfully^ 

Finally, it is normally assumed that Alice and Bob are able to do clas- 
sical computation (perfectly). For example, they need to be able to calcu- 
late the statistics of their measurement outcomes. In the case of the BB84 
protocol this corresponds to counting correctly the number of bits which 
were incorrectly received by Bob when measuring in the same basis. This 
is crucial to estimate the error rate and to abort in case the eavesdropper 
intercepted too many messages. The classical post-processing of Alice's 
and Bob's data is usually also assumed to be error-free. 

The goal of device-independent quantum key distribution is to reduce the 



7 If Alice and Bob can build quantum devices, they can, of course use quantum physics 
to build a random number generator. 
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above assumptions to a minimum, in particular, to remove all assump- 
tions about the exact working of the physical devicesll The devices could 
then even be manufactured by the adversary. Ideally, the security should 
only rely on testable features of the devices, for example, the statistics 
of their behaviour. The honest parties would then only need to trust 
their ability to do classical calculations (to compute the statistics) and the 
shielding of their laboratories. 



1.3 Possible Approaches 

Mayers and Yao [MY98J noted that in the context of device-independent 
key distribution, entanglement-based protocols have a major advantage 
compared to prepare-and-measure protocols. They propose a source with 
an additional testing device — taking purely classical inputs and outputs 
— such that these classical inputs and outputs can be used to test whether 
the source is suitable for quantum key distribution. They call this a self- 
checking source. They noted that there exist certain correlations of the 
measurement results of quantum states which can only be achieved by a 
state equivalent to the singlet state. In particular, the correlations used in 
the entanglement-based protocol (Figure fL2$ to test for entanglement are 
of this type. Security follows because the singlet state necessarily needs 
to be independent of any state the eavesdropper might have. The ar- 
gument of Mayers and Yao was made robust against noise IMMMO06B 
and extended to self-checking of circuits and other devices. In I AB G + 07ll , 
a device-independent quantum key-distribution protocol secure against 
collectiv^l attacks was given. Under a plausible, but unproven conjecture, 
this protocol can even be made secure against the most general attacks if 
the measurement devices are memoryless [McKjO). 

The idea used in the security proof of these device-independent schemes 
is that, for binary outcomes, the Hilbert space is in some sense equivalent 
to the Hilbert space of qubits. It is then sufficient to restrict to the case of 
qubits in the security analysis, which means that eavesdropping can be 

8 We will not consider the case where Alice and Bob do not trust their random number 
generator, but assume that they can toss random coins. For a proposal how to build device- 
independent sources of randomness starting from a small random seed, see | Col06 1. 

9 In a collective attack each of the systems is attacked independently and individually, 
but a joint measurement can be performed on Eve's system in the end. 
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detected using a Bell test. If this test gives a value close to 2y / 2 (for the 
case of the CHSH inequality, see Section l2.6.1ll , the state must also be close 
to the singlet state (potentially embedded into higher dimensions). The 
realization of these key-agreement protocols are, therefore, very similar 
to an entanglement-based protocol. 

Barrett, Hardy, and Kent | BHK05 J observed that the correlations obtained 
from measuring an entangled quantum system can be used to prove the 
security of key distribution based on the non-existence of hidden vari- 
ables describing this physical system. In fact, Bell [Bel64] had shown 
that it is not possible to describe the correlations obtained from measure- 
ments on certain entangled quantum states in a way that each of the meas- 
urements has a well-defined pre-determined outcome. Barrett, Hardy, 
and Kent show that there exist certain quantum correlations such that 
the measurement outcomes even need to be completely random before the 
measurement is actually carried out. This property can be used to show 
that the measurement outcomes need to be completely independent of 
any information the eavesdropper can possibly hold. 

Note that the scheme Barrett, Hardy, and Kent propose uses quantum 
physics to create these (observable) correlations. However, the security 
is based only on the requirement that no information can be exchanged 
between the three parties via the system and it is, therefore, independ- 
ent of quantum physics. The scheme they propose works as follows (see 
Figure fOl l. Alice and Bob measure n singlet states using one out of N pos- 
sible bases on a circle (where the N th basis corresponds to a n/2 rotation 
compared to the th basis). Bob inverts his outcome bit. They announce 
the measurement bases over the public authenticated channel and keep 
only the results for which they have measured in the same or in neigh- 
bouring bases modulo N (i.e., where they either had a very small angle 
between the measurement directions or an angle of almost 7r/2). From 
the remaining measurements, they uncover all but one result. They check 
whether all the results where they measured almost in the same direction 
were equal and all the results where they measured in almost orthogonal 
direction were different. If this is not the case, they abort. If they did 
not abort, they take the remaining measurement outcome as key bit (with 
Bob inverting the value in case they measured at almost ir/2). The scheme 
works because measuring a quantum system gives a higher probability of 
passing the test than what could be achieved by classical shared random- 
ness. 
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Figure 1.3: The protocol of Barrett, Hardy, and Kent. Alice and Bob 
choose a number i at random from {0, . . . , N — 1} and measure the singlet 
in a basis turned by an angle iir/2N. The marked bit is the key. 



The scheme proposed by Barrett, Hardy, and Kent is secure against the 
most general attacks. However, it only works if the quantum system and 
the measurement are perfectly noiseless, as otherwise the scheme will 
abort. Furthermore, its security is at most directly proportional to the 
number of systems used, which implies that it only reaches a zero key 
rate. The reason for this is that the measurement outcomes are directly 
used as part of the key (without doing privacy amplification). 

One proposition to overcome this problem is to use an entanglement- 
based scheme as given in Figure 11.21 Indeed, it can be shown that the 
outputs of such a system are also partially secret against non-signalling 
eavesdroppers. This system corresponds, in fact, to the case N = 2 in the 
scheme of Barrett, Hardy, and Kent. The idea is to use several of these 
partially secure bits to create a highly secure bit using privacy amplifica- 
tion, i.e., by applying a function to them. Of course, when Alice's and 
Bob's measurements enclose a certain angle, they will, in general, not ob- 
tain highly correlated outcomes and they will also need to do information 
reconciliation to correct the errors in their raw keys. Such classical post- 
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processing does indeed work, if the eavesdropper's attacks are restricted 
to individual attacks [AGM06, AMP06l lSGB + 6l, i.e., the eavesdropper is 
assumed to attack and measure each system independently. For general 
attacks, privacy amplification against non-signalling adversaries is, how- 
ever, only possible if additional non-signalling conditions are imposed 
between the subsystems IMas09l iHRWlOl IHRW081 . 

The implementation of these protocols then works again along similar 
lines as an entanglement-based protocol. 



1.4 Outline and Main Results 



In this thesis, we study both approaches to device-independent quantum 
key distribution, using the whole of quantum physics and using only 
the impossibility of signalling via the physical devices (non-signalling 
principle). Below, we give an outline of the thesis with an overview of 
the main results. We include an informal description of the 'proof idea' 
and point to the locations where the formal statements and proofs can be 
found. 



Preliminaries 

In the next chapter, we establish the notation and review the techniques 
we will use. The basics of probability theory are explained in Section IZTl 
and the notion of (computational) efficiency in Section \22\ We will show 
security based on random systems and by comparing our system to an 
ideal system. This approach and what it means for a key to be secure 
is explained in Section l2~3l As a tool, we will use convex optimization 
in the security analysis, which we review in Section [2~4l We then intro- 
duce the basic laws of quantum physics (Section 12 .5) . In Section IZ6l we 
study which systems can be realized using different resources, in particu- 
lar shared randomness (Section l2.6.1|l , quantum mechanics (Section l2. 6.21 1, 
and general non-signalling theories (Section l2.6.3t . 
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Key distribution secure against non-signalling adversaries 

In Chapter |3l we study key agreement in the presence of adversaries only 
limited by the non-signalling condition. This means that the adversary 
can interact with the physical system in an arbitrary way as long as this 
interaction does not imply communication between the different subsys- 
tems. Even though this non-signalling condition might be inspired by 
quantum mechanics, this approach does not require the validity of quan- 
tum mechanics for the security proof. The systems are implemented by 
quantum physics (i.e., we think that such systems exist, because quantum 
mechanics predicts them), but for the security analysis this is completely 
irrelevant. Security is based only on the observed correlations. 



Main results: We show that for any type of partial non-signalling se- 
crecy, privacy amplification against a non-signalling adversaries is pos- 
sible using a deterministic privacy amplification function (the XOR) if the 
non-signalling condition holds between all subsystems. This insight leads 
to a device-independent key-distribution scheme which is efficient in 
terms of classical and quantum communication. 



Informal proof sketch: Assume Alice and Bob share some kind of phys- 
ical system. They can choose a measurement and obtain a result. We 
model this abstractly as a non-signalling system Pxy\uv ( see the left- 
hand side of Figure 11.4) taking inputs and giving outputs. The attack a 
non-signalling adversary can make on such a system corresponds exactly 
to the choice of a convex decomposition (input) and obtaining one of the 
elements (output) (see Lemmas 13. 11 p.l66l and !3.21 p.l67t. 
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Figure 1.4: By Lemmas 13. Il and l3. 21 an attack of the eavesdropper corres- 
ponds to a choice of convex decomposition. Her outcome is an element 
in the convex decomposition. 
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The question how much Eve can know about Alice's output bit X, there- 
fore, corresponds to finding the best convex decomposition of Alice's and 
Bob's system, such that, given Z, Eve can guess X. 

Since the conditions on a non-signalling system are linear, we can char- 
acterize this quantity by a linear program (see Lemma [3.91 p. l77)l . i.e., an 
optimization problem of the form 

PRIMAL 

max : b T ■ x 
s. t. A ■ x < c 

where £ is a vector, A contains, amongst others, the non-signalling condi- 
tions and c contains the probabilities Pxy\uv °f the marginal system as 
seen by Alice and Bob. The maximal distance from uniform of X, from 
a non-signalling adversary's point of view, is b T x* /2, where x* is the op- 
timal solution of this linear program. 

As an example, consider a system with binary inputs and outputs such 
that Pi[X 8 Y = U ■ V] = 1 - £0 In this case, the distance from uniform 
of Alice's output bit X is at most 2s, i.e., the more non-local the system is, 
the more secret is the output bit. 

Alternatively to the primal form, we can consider the dual form of the 
linear program, given by 

DUAL 
min : c T ■ A 
s.t. A T -X = b 
A > . 

Any dual feasible A gives an upper bound on the primal value (b T x < 
c T A) and, therefore, on Eve's knowledge about the bit. The dual value 
is of the form c T A, where c contains the marginal probabilities, and it, 
therefore, corresponds to an event defined by the inputs and outputs of 
Alice's and Bob's system. This implies that Alice and Bob can 'read' the 
secrecy of the bit from the behaviour of their system (Lemma 13. 101 p. ISP) . 

10 Note that this corresponds to the Bell test performed in | Eke91 1. A value of B in the Bell 
test — the maximum quantum value being 2 v / 2 — corresponds to 1 — e = 1/2 + B/S, see 
Section l2~6H 
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In the above example of a system with binary inputs and outputs, there 
exists a A (the optimal one) such that c T A/2 = 2 Pr[X © Y ^ U ■ V] = 2e 
(see Example [121 p.lHTl. 

Now consider the case where Alice and Bob share n copies of a bipartite 
non-signalling system. This can be seen as a (2n)-party non-signalling 
system, where the non-signalling condition must hold between all sub- 
systems. Our main insight, stated in Lemma [3. 121 p.[83l is that a system 
is (2n)-party non-signalling if and only if it fulfils A® n x = 0, where A are 
the conditions a bipartite non-signalling system must fulfil. 

We can then show that the security of the XOR of several (partially secure) 
bits Xi can be calculated by the linear program (in its dual form) 



DUAL 
min : • A 



s.t. (A® n y • A„ = 6 6 

A„ > 0, 



i.e., it is the 'tensor product' of the individual linear programs. This im- 
plies that for any A which is feasible for a single system, A„ = A®" is 
feasible for n systems (Lemma 13. 131 p.l84l and this gives an upper bound 
on the distance from uniform. When the n bipartite marginal systems 
behave independently, i.e., they are of the form c®" this gives an upper 
bound on Eve's knowledge of (c T A)"/2, and the (2n)-party system is as 
secure as if Eve had attacked each of the partial systems individually. In 
our example, the maximal distance from uniform of the XOR of n bits is 
(4e) n /2. The general statement for systems which do not necessarily have 
product form is given in Theorem l3.11 p.l85l 

The insight that the XOR can be used to create a highly secure bit can 
be used to construct a key-agreement scheme where the key bits and the 
error-correction information are formed by the XOR of random subsets of 
the physical bits Xj. Such a scheme is analysed in Section 1531 An explicit 
protocol, implementable roughly as the one in Figure 11.21 is shown to be 
secure against a non-signalling adversary in Section 1531 
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Key distribution secure against quantum adversaries 

We then turn to the analysis of device-independent key agreement secure 
against quantum adversaries in Chapter |U In this scenario, all systems 
have to be implemented by quantum physics, but we do not make any 
assumptions on how they are implemented (Hilbert space dimension, etc.). 
The reason to consider this scenario is that a non-signalling adversary is 
stronger than (realistically) necessary, which gives lower key rates. 

The difficulties arising in device-independent key agreement in the pres- 
ence of quantum adversaries are different from the ones in the non-sig- 
nalling case. In the non-signalling case, the difficulty was privacy ampli- 
fication, i.e., to show that an adversary cannot attack the key bit created 
from several bits significantly better than when each of these bits is at- 
tacked individually. On the other hand, it is already known that a highly 
secure string can be created from a partially secure one by privacy ampli- 
fication [RK05J even when the adversary can hold quantum information. 
The crucial question in this case is therefore, to determine the secrecy con- 
tained in the initial string. This secrecy is quantified by the min-entropy, 
which in turn directly relates to the probability with which the adversary 
can guess the value of the string correctly. This will, therefore, be the 
quantity we are interested in bounding. 



Main results: We show how the probability that an adversary can guess 
the output of a quantum system can be calculated using a semi-definite 
program. We then show that the guessing probability of the outputs of 
several quantum systems, where measurements on different subsystems 
commute, follows a product theorem, in the sense that the probability to 
guess the whole string correctly is the product of the guessing probabil- 
ity of each subsystem. Using this property, we can construct a device- 
independent key-agreement scheme secure against the most general at- 
tacks by a quantum adversary. 



Informal proof sketch: Conceptually, our approach is similar to the one 
in the case of non-signalling adversaries. We will also show that the con- 
ditions several quantum systems must fulfil are the tensor product of the 
conditions of the individual systems. 
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Alice and Bob share a quantum system characterized by a probability 
distribution Pxy\uv- An adversary trying to guess Alice's string X can 
choose a measurement on her part of the system and obtain a measure- 
ment result. What measurement she performs can, of course, depend 
on additional information. Any measurement induces a convex decom- 
position of Alice's and Bob's system, where each element needs to be a 
quantum system, i.e., Eve's possibilities are given by Figure [T31 
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Figure 1.5: A quantum adversary's possibilities to attack a system (see 
Lemma [4. 11 p. 1106b . The choice of measurement induces a convex decom- 
position of Alice's and Bob's system. 

Finding the maximal guessing probability, therefore, corresponds to the 
optimization problem of finding the sum of quantum systems with a fixed 
marginal system of Alice and Bob that gives the best value, as stated in 
LemmaESp.UlO] 

We then use a semi-definite criterion that any quantum system must ful- 
fil INPA07I , more precisely, a sequence of semi-definite criteria which 
can approximate the set of quantum systems arbitrarily well [DLTW08, 
NPA08J. Using this sequence as condition on the elements of the convex 
decomposition, we can bound the guessing probability by a semi-definite 
program (Lemma l4.41 p. 1112b , i.e., an optimization problem of the form 

PRIMAL 

max : b T ■ x 
s. t. A ■ x — c 

where V 0' means that the matrix corresponding to x must be positive- 
semi-definite. The matrix A contains the condition that the measurement 
operators on different parts of the system commute, that all measure- 
ment operators are orthogonal projectors, and that the operators associ- 
ated with the same measurement sum up to the identity. The vector c 
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contains the marginal system of Alice and Bob. We can then write the 
probability that Eve correctly guesses Alice's value as -P guC ss < b T x* . 

The dual of the above semi-definite program is of the form 

DUAL 
min : c T ■ A 
s.t. A T -\>b 

and any dual feasible solution gives an upper bound on the possible 
guessing probability of a quantum adversary in terms of the probabilities 
describing the system shared between Alice and Bob. 

Strictly speaking, the vector c above contains certain entries which can be 
calculated knowing the state and measurements of Alice and Bob, but 
which do not correspond to an observable quantity. The above semi- 
definite program can, therefore, be used to calculate security in the device- 
dependent scenario. To obtain the device-independent scenario, we modify 
the program to optimize additionally over all the unknown entries which 
are compatible with the observable behaviour of the system (i.e., the prob- 
abilities Pxy\uv)- This is done in Section l4.3.2l 

Our main technical insight is that a (2n)-party quantum system (where 
the quantum state is arbitrary but measurements act on a specific sub- 
system) must necessarily fulfil the conditions A® n characterized by the 
tensor product of the conditions associated with a bipartite system (Lem- 
ma [433 p. \122\ . This implies that the dual of the semi-definite program 
calculating the guessing probability of the output of n systems is of the 
form (Lemma l4l0l p.lT§3ll 

DUAL 
min : • A„ 
s.t. {A® n ) T ■ A„ h b® n . 

Since 6^0, using a criterion from [MS07J, this implies that for any A that 
is feasible for a single system, A®" is feasible for n systems, as stated in 
LemmaEIp-Ei 

If the n marginal systems are independent (i.e., c„ = c®"), this implies 
that the probability that Eve correctly guesses the value of Alice's string 
is the product of the probabilities that she guesses each output correctly 
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More precisely, if the guessing probability of an individual system is 
bounded by P guess < c T X, then for n systems it is bounded by the product 
fgucss n < (c T A)™. In terms of the min-entropy this means that the min- 
entropy of n systems is n times the min-entropy of the individual systems. 
The general statement for arbitrary marginals is given in Theorem 14.31 
p.11241 

Using this insight, it is possible to create a secure key agreement scheme. 
We first consider the case where the n bipartite marginal systems behave 
independently (Section 14.51 1 before considering the general case in Sec- 
tion 14.61 Finally in Section l4~7l we give a protocol similar to [Eke9lJ and 
analyse its security in the device-independent scenario with commuting 
measurements . 



Necessity of non-signalling condition 

In the last chapter (Chapter |5]l we study the question whether an addi- 
tional non-signalling condition between the subsystems is necessary. The 
setup we consider is the one where Alice and Bob share n systems such 
that Pr[A^ (&Yi = Ui ■ Vi] = 1 — e (and Xi and Yi are uniform random bits). 
As seen above, the output Xi of each of these systems is partially secure. 
We ask the question whether Alice can create a bit B — f(X) (where 
X = X\ . . . X n ) from her outputs that is highly secure, even when Eve 
can attack all systems at once and only needs to respect a non-signalling 
condition between Alice, Bob and Eve. 



Main results: We first show that two partially secure systems are as 
local as a single one. This implies that they cannot be more secure. We 
then give a general attack for any number of systems such that the in- 
formation a non-signalling adversary can gain about any bit B = f{X) 
is large. More precisely, there exists a constant lower bound independent 
of the number of systems. This shows that privacy amplification is not 
possible in this setup. 

Informal proof sketch: We first consider the case of one or two sys- 
tems and calculate their so-called local part. The local part is the maximal 
weight a local system can have in a convex decomposition of the system. 
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This corresponds to the fraction of runs that need to give rise to non-local 
correlations when repeating an experiment and is a way of quantifying 
non-locality as a resource. Since for any local system, a non-signalling ad- 
versary can always have perfect knowledge about the outcomes (when 
the inputs are public), the local part gives an upper bound on the ex- 
tractable secrecy of a non-signalling system (and a lower bound on the 
knowledge of the eavesdropper). 

We show that two systems are as local as a single one (Lemma l5.51 p. H51|l 
and that they can, therefore, not be more secure (see Figure [T~6l > . 
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Figure 1.6: Local part of two systems. 



For more than two systems, we give an attack directly, not using the local 
part. In Section 15.5.21 we show that for any number of systems and for 
any function, there exists a specific good attack. Intuitively, this attack 
corresponds to a convex decomposition of Alice's and Bob's system, such 
that each element has weight 1/2 (for an impossibility proof this is suf- 
ficient), and Pxy\uv * s suc h that the bit B = f(X) is maximally biased 
towards (note that Pxy\uv looks like n systems). 
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Figure 1.7: The successful attack in the tripartite non-signalling case is 
such that, with probability 1/2, Eve obtains an outcome such that the bit 
B is biased to 0. 



In order to define an attack, it is sufficient to construct a non-signalling 
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system P^ Y \uv such mat 

p xY\uv( x >y> u > v ) - 2 • p xY\uv{x,y,u,v) . 

This corresponds exactly to the condition that there exists a second non- 
signalling system Pxy\uv summing up to the correct marginal (Lemma l3.8[ 
p.ES). 

Intuitively we construct P x °y\uv starting from Pxy\uv an d by 'moving 
around probabilities' such that the system remains non-signalling and the 
above condition is fulfilled. (This intuition is explained in Figure [T78l the 
formal definition is given in Definition El p. [154J- We prove that this 
indeed defines a convex decomposition of Alice's and Bob's joint system 
in Lemma [5.81 p. 11551 and Lemma \5 .91 p. 11561 
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Figure 1.8: For the successful attack, we construct P x °y\uv starting from 
Pxy\uv an d shifting around probabilities. 

Using this attack, we show that the distance from uniform of the bit /(X) 
as seen from Eve is at least 

max | ~ • \P(f(X) = 0) - P(f(X) = 1)| , 

^rriin{P(/(X|Y = y) = 0,P(f(X\Y = y) = 0} 
y 
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(see Lemma 15.101 p. 115711 , where the first term is the bias of the bit f(X) 
and the second term is the sum over all possible outputs on Bob's side of 
the minimal probability that the bit B is or 1 given this specific value y. 

In case the function / is linear, we can explicitly calculate this value (Lem- 
ma [5JJ] p. U58|l . It is always at least e, but when taking the XOR of many 
bits it becomes even larger. 

In Section 15.6.21 we show that this same attack can also be used against 
any function. We do this in several steps: First, we show that, doing this 
attack, Eve always gains a substantial amount of information unless Alice 
and Bob have highly correlated bits (Lemma l5.131 p. H62|l . Then we show 
that if Alice applies a biased function to obtain her secret bit, Eve can 
also attack (Lemma l5.16i p. 11641 . We can finally use a result from [Yan07] 
on non-interactive correlation distillation stating that it is not possible 
to produce an unbiased highly correlated bit from several weakly correl- 
ated bits by applying a function. This leads to a constant lower bound on 
Eve's information about the key bit, independent of the number of sys- 
tems used (Theorem 15. 21 p. 116411 and implies that privacy amplification is 
not possible in this setting. 



Chapter 2 



Preliminaries 



2.1 Probability Theory 

Probabilities 

The result of a random experiment is called an event and, roughly speaking, 
the chance that such an event is realized is its probability. In order to be 
able to define the probability of an event, it is necessary to know what 
events can actually occur. The set of possible outcomes of a random ex- 
periment is called sample space and denoted by SI. Every subset A of SI, 
i.e., A € V(Sl), is an event. 

We will only encounter discrete probability spaces, i.e., the case when SI 
is a finite or countably infinite set and restrict to this case hereafter. For 
a more detailed introduction to probability theory we refer to textbooks, 
such as lFil68llLec98l . 

Definition 2.1. A discrete probability space is a triple (SI, A, P), where SI is 
a set, A C V(Sl), and P: A ->• [0, 1] is a function such that 

• P(SY) = 1, 

• for every sequence of events A, such that Ai (lAj = holds for i ^ j, 

wehaveP(\J i A i ) = J2 i P(A i ). 
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P is called probability on (O, .4). 

When f2 is discrete, it is actually sufficient for the definition of a proba- 
bility space to associate a positive number pi with each u>i e CI, called 
elementary event, such that J2%Pi = 1- The probability of any event A is 
then the sum of the probabilities associated with the elementary events 
in A. 

We define the conditional probability of an event A given another event B. 
This probability is different from the probability of the event A, because 
the set of possible events is now restricted to the subsets of B, instead 
of CI. 

Definition 2.2. Let (Cl, A, P) be a discrete probability space and B e A 
an event with P(B) > 0. The conditional probability of an event A e A is 

Two events A and B are called independent if the probability that both 
events happen is the product of the two probabilities. 

Definition 2.3. Two events A and B are called independent if 
P{AC\B)=P{A)-P{B) . 

Conditioning A on an independent event B leaves its probability un- 
changed, i.e., 

P{A\B) = P{A) . 

Random variables 

A random variable is a way of encoding the events in Vl by a number. 

Definition 2.4. A discrete random variable X on a probability space 
(f2, A, P) is a map X : CI — > R such that X(O) is countable. Furthermore, 

X-^x) = {uje CI\X(uj) = x} g -4 • 
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The function P x : X ^ [0, 1], such that 

Px{x) = P(A) , where A = X" 1 ^) , 
is called probability distribution of the random variable X. 

We will denote random variables by capital letters, such as X, the range 
of the random variable by calligraphic letters, X, and the value a ran- 
dom variable has taken by lower-case letters x. The probability that the 
random variable X takes value x is Px(x). Sometimes we will drop the 
index when the random variable is clear from the context. 

We can also define the joint probability distribution of two (or more) random 
variables. 

Definition 2.5. Consider two random variables X and Y defined on the 
same sample space. The function P X y ■ X x Y — > [0, 1] defined as 

Pxy{x, y) = P{A n B) where A = X~\x) and B = Y~ 1 (y) , 

is called the joint probability distribution of X and Y. 



When the joint probability distribution of two (or more) random variables 
is given, we will sometimes consider the marginal distribution of X. This 
is the distribution of the random variable X of a joint distribution when 
one ignores the value of the second random variable Y. 

Definition 2.6. Given the joint probability distribution P X y of two ran- 
dom variables X and Y, the marginal distribution of X is 

P x (x) = Y, p XY{x,y) . 

v 



In analogy with the case of events, we also define the conditional proba- 
bility distribution as the distribution of the random variable X, given that 
another random variable Y has taken the value y. 

Definition 2.7. The conditional probability of X = x given Y = y with 

P Y (y)>0is 

D / x Pxy(x,v) 
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The conditional probability distribution Px\y is 



Px\y(x,y) = Px\Y= y 



(*). 



A conditional probability distribution can be seen as a system taking as 
input the random variable Y and giving a (probabilistic) output X, de- 
pending on the input y. 

When considering the conditional probability distribution of several ran- 
dom variables, Pxy\uvi the marginal conditional distribution Px\uv can 
be defined in the same way as the marginal distribution. Furthermore, if 
it holds that Px\uv(x, u, v) = Px\uv(x, u, v') for all v, v' £ then we 
drop the second conditional random variable in the notation and simply 
write Px\Ur where 



We also define the expectation value of a random variable X. 

Definition 2.8. Let X be a random variable with distribution Px- The 

expectation value of X is 



A special probability distribution is the uniform distribution, i.e., the one 
where all possible outcomes are equally likely. 

Definition 2.9. Let U be a random variable of range U. The uniform distri- 
bution over U is 



We will often use the letter U (for 'uniform') to denote a random variable 
which is uniformly distributed. 

1 This is in particular the case when considering non-signalling systems, which will be 
defined in Section l2.6.3l 




y 



(X) = J2Px(x)-x. 
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Distance between distributions 



The distance between two distributions of the same random variable can 
be measured by the variational distance. The variational distance is exactly 
the minimal probability that the random variable drawn from one or the 
other distribution takes a different value. 

Definition 2.10. Let P and Q be distributions over X. The variational 
distance between P and Q is 

d{P,Q) = \Y.\ p (x)-Q{*)\ ■ 



Of particular importance for us is the distance of a distribution Px from 
the uniform one. We denote this distance by d(X). 

Definition 2.11. The distance from uniform of a random variable X over 
X with distribution Px is the variational distance between Px and the 
uniform distribution over X, i.e., 

« = \ E 

xex 



Px(x) 



1 

W\ 



Note that when X is a bit, i.e., X = {0, 1}, then 



x=0 



Px(x) - 



Px(0)~ 



\Px(0) - Px(l)\ 



Chernoff bounds and sampling 



Lemma 2.1 (Chernoff IChe52l , Hoeffding IIHoe63l ). Let X u ...,X n 
€ {0, 1} be n independent random variables such that for each i, Xi is drawn 
according to the distribution Px with -Px(l) = P- Then for any e > it holds 
that 



Pr 



1 \ - 

- } Xi > p + e 



< e 



and 
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Px(x), 




X 
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i 
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X 



Figure 2.1: The distance from the uniform distribution is either of the two 
shaded areas. 

The following bound on the sum of the binomial coefficients is well-known. 
Lemma 2.2. For any < p < 1/2, 



where h(p) = — plog 2 p — (1 — p) log 2 (l — p) is the binary entropy function. 



Lemma 2.3 (Sampling Lemma [KR05J). Let Z be an n-tuple and Z' a k-tuple 
of random variables over Z, with symmetric joint probability Pzz 1 ■ Let Q z > 
be the relative frequency distribution of a fixed sequence z' and Q( z ,z') be the 
relative frequency distribution of a sequence (z, z'), drawn according to Pzz 1 - 
Then for every e > it holds that 




Pzz' [\\Q (ZtZ >)-QA >e] <\Z\-* 



-ke 2 /8\Z\ 



2.2 Efficiency 



Some cryptographic tasks cannot be achieved with perfect security. For 
these cases, we have to accept some probability of error, or even rely on 
computational hardness. 
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Definition 2.12. Let g : N -» R be a function. 

• The set of functions /: N -> E upper-bounded by g is called 0(g) 
(O-notation) 

0(g) = {/: N -> R|3c > 0, n : /(n) < c • 5 (n) for all n > n } . 

• The set of functions /: N ->• R lower-bounded by g is called Q(g) 
(Q-nofflhon) 

0(g) = {/: N -> R|3c > 0, n : /(n) > c • #(n) for all n > n } . 

A function / : N ->• R is called polynomially upper-bounded (or polynomial) 
if there exists a constant k > such that / e 0(n fe ). 

In computational complexity, algorithms that run in time at most polyno- 
mial in the input size are called efficient, and inefficient otherwise. 

Definition 2.13. A function / : N -> R is called negligible if for every pos- 
itive polynomial p(-), there exists an n such that for all n > n 

fin) < — l — . 

For example, in key distribution, we are interested in schemes where 
(ideally) the probability that an adversary succeeds in breaking it is neg- 
ligible in some security parameter. On the other hand, the probability 
that the honest parties succeed in achieving their task should be high, for 
example overwhelming, as defined below. 

Definition 2.14. A probability p: N -> R is called overwhelming if 1 - p(n) 
is negligible. 

Note that the definition of polynomial and negligible have the nice prop- 
erty that they are closed under composition. More precisely, if / and g are 
polynomial, then so are / o g, f + g, and / • g; if / and g are negligible, 
then so is / + g; and even if / is polynomial and g is negligible, then / o g 
and / • g are negligible. 
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2.3 Random Systems 

Most cryptographic tasks can abstractly be modelled as random systems 
[Mau02|. A system is an object taking inputs and giving outputs. The 
way this system is physically implemented is often irrelevant in the cryp- 
tographic context, and we can consider the system to be defined in terms 
of its behaviour, i.e., the probabilities that it gives a certain output given 
a specific input. 

Definition 2.15. An (X ,y)-random system S is a sequence of conditional 
probability distributions Py | ^ XiY , i Yi for i > 1. 

Even though the sequence of probability distributions defining a system 
could potentially be infinite, we will only consider systems defined by 
finite sequences and with a finite number of inputs and outputs. Two 
random systems characterized by the same probability distributions are, 
with the above definition, defined to be the same system. 

The different interfaces, number of interactions, and, if there is, the time- 
wise ordering of these inputs and outputs is described in the definition of 
the system. 

II I II 
S 

+t 

Figure 2.2: A system. 

Example 1. The identity channel can be seen as the system taking as input 
a value x € X and outputting the value y = x, i.e., Py| X (x,y) = 1 for 
y — x and otherwise. 

Note that any protocol taking as input X and calculating a certain value Y 
can also be seen as a random system with input X and output Y. 
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2.3.1 Indistinguishability 



The closeness of two systems Sq and Si can be measured by introducing 
a so-called distinguisher. A distinguisher T> is itself a system and it has the 
same interfaces as the system Sq, with the only difference that wherever 
Sq takes an input, T> gives an output and vice versa. In addition, T> has 
an extra output. The distinguisher T> has access to all interfaces of Sq, 
even though these interfaces might not be in the same location when the 
protocol is executed (for example, one of the interfaces might be the one 
seen by Alice, while the other is the one seen by Eve). 

Definition 2.16. A distinguisher V for an (X, ^)-random system is 
a (y, Af)-random system defined by the distributions Px \x 1 x ± y- i y x 
for i > 1 (i.e., it is one query ahead). Additionally, it outputs a bit B after 
q queries based on the transcript [X\ . . . X q Y\ . . . Y q ). 



V 



1 



e{0,i} 



V 



5, 



o 



e{o,i} 



Si 



t 



Figure 2.3: The distinguisher 

Now consider the following game:The distinguisher T) is given one out of 
two systems at random — either So or Si — but the distinguisher does not 
know which one. It can interact with the system and then has to output 
a bit B, guessing which system it has interacted with. The distinguishing 
advantage between system Sq and Si is the maximum guessing advantage 
any distinguisher can have in this game (see Figure lZ3l . Equivalently the 
distance between two systems can be defined as the maximum difference 
in probability that a distinguisher outputs the value B = 1 given it has 
interacted with system Sq compared to when it has interacted with Si . 

Definition 2.17. The distinguishing advantage between two systems Sq and 
Si is 

5(S ,Si) = max[P(B = 1|5 =S ) - P(B = 1\S =5 X )]. 
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Two systems So and Si are called e-indistinguishable if 5 (So, Si) < e. 



The probability of any event £ when the distinguisher V is interacting 
with Sq or Si cannot differ by more than this quantity. 

Lemma 2.4. Let So and Si be two e-indistinguishable systems. Denote by 
Pr[£|<So, 2?] the probability of an event £, defined by any of the input and output 
variables, given the distinguisher V is interacting with the system So- Then 

Pt[S\S ,V] <Pv[£\Si,V] + e 



Proof. Assume Pr[£|So, V] > Pr[£ \Si, V] + e and define the distinguisher 
T) such that it outputs B = whenever the event £ has happened and 
whenever £ has not happened it outputs B = 1. Then this distinguisher 
reaches a distinguishing advantage of 6 (So, Si) > e contradicting the as- 
sumption that the two systems are e-indistinguishable. □ 



The distinguishing advantage is a pseudo-metric, that is, it fulfils similar 
properties as a metric, in particular, the triangle inequalityH 

Lemma 2.5. The distinguishing advantage fulfils 



• S(S,S) = 0, 

• 5 (So, Si) = 8 (Si, So) , and 

. S(So,Si) + 8(Si,S 2 )>8(S ,S 2 ). 



Proof. 

8(S ,Si) = max[P(-B = 1\S = S ) - P(B = l\S = So)] = max[0] = . 

For the second equality, call the distinguisher that reaches the maximal 
value on the right-hand side (i.e., 8(Sq,Si)) T>o- Define another distin- 
guisher T>i to be the same as T>o, but flipping the bit B before outputting 

2 Since we identify the system with the probability distributions describing it, the distin- 
guishing advantage is actually a metric, i.e., for any two systems with distance 0, the two 
systems are the same. In general, it is possible to introduce the distinguishing advantage 
restricting the set of distinguishers to a certain class, for example, the ones which are compu- 
tationally efficient. In this case, the weaker properties of a pseudo-metric remain fulfilled. 
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it. This implies 

(5(50,50 = [P Va {B = l\S = Sq) - P Vo (B = l\S = St)} 

= [1 - P Vl {B = l\S = S ) - (1 - P Vl {B = l\S = Si))] 
= [P Vl {B = 1\S = Si) - P Vl {B = l\S = S )} 
<6(Si,S ) . 

The inverse inequality follows by the same argument with the roles of So 
and Si exchanged. Finally note that 

5(S ,S 1 )+5(S 1 ,S 2 ) = max[P(S = l\S = S Q ) - P(B = l\S = S x )} 

+ max[P(B = l\S = S x ) - P{B = l\S = S 2 )} 

> max[P(B = l\S = S a ) - P{B = l\S = S x ) 

+ P(B = l\S = Si) - P(B = l\S = S 2 )} 
= 6(So,S 2 ). □ 



2.3.2 Security of a key 

The security of a cryptographic primitive can be measured by the dis- 
tance of this system from an ideal system, which is secure by definition 
[MRW07|. For example, in the case of key distribution the ideal system is 
the one which outputs a uniform and random key (bit string) to the hon- 
est parties and for which all other input/ output interfaces are completely 
independent of this first interface. This key is secure by construction. If 
the real key-distribution protocol is e-indistinguishable from the ideal one, 
then, by Lemma IZ4l the key obtained from the real system needs to be se- 
cure except with probability e. This is true because in the ideal case the 
adversary knows nothing about the key. 

Definition 2.18. A perfect key of length \S\ is a system which outputs two 
equal uniform random variables Sa and Sb (i-e., Ps A s B ( s a,sb) = 
for sa = sb and otherwise) and for which all other interfaces are uncor- 
rected with Sa and S^. 

Definition 2.19. A key is e-secure if the system outputting Sa and Sb is 
e-indistinguishable from a perfect key. 
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Figure 2.4: The real and ideal system for the case of key distribution. 



This definition implies that the resulting security is universally compos- 
able IIPWOll IBPW031 ICanOll , i.e., no matter in which context the key is 
used it always behaves like a perfect key, except with probability at 
most e. In fact, assume by contradiction that there exists any way of 
using the key (or any other part of the system which generates the key) 
such that the result is insecure, i.e., distinguishable with probability larger 
than e from the ideal system. This process could be used to distinguish 
the key-generation scheme from an ideal one with probability larger than 
e, which is impossible by definition. 

Often, the analysis of the security of a key is subdivided into several parts 
because the different properties are achieved by different sub-protocols. 
For example, the bound on the information an eavesdropper can have 
about Alice's key Sa is called the secrecy of the protocol. Secrecy is usually 
achieved by privacy amplification. The probability that Alice's and Bob's 
key differ can then be considered separately; this is called the correctness 
of the protocol. The part of the protocol responsible for correctness is 
information reconciliation. By the triangle inequality, the security of the 
protocol is bounded by the sum of the secrecy and correctness. 

Note that the above requirements of secrecy and correctness do not ex- 
clude a trivial protocol: one that always outputs a key of zero length. 
Such a protocol is, of course, not useful (although it is secure). The prop- 
erty that the protocol should output a key (of non-zero length) when the 
eavesdropper is passive is called the robustness of the protocol. 

When key agreement is studied in an asymptotic scenario, where the 
number of quantum system, channel uses, random variables etc. used 
can be arbitrarily large, we are interested in the length of the key that can 
(asymptotically) be achieved per number of systems. 



2.4. Convex Optimization 



35 



Definition 2.20. The rate q of a key-distribution protocol is the length of 
the key per number of systems, i.e., log \S\ = q ■ n. 

Of course, we will be interested in protocols which are secure and output 
a certain key length when the adversary is passive. The secret key rate is 
then defined as the key length that can be generated when the channel is 
noisy according to a certain noise model. 



2.4 Convex Optimization 
2.4.1 Linear programming 

A linear program (see, e.g., |BV04|) is an optimization problem with a lin- 
ear objective function and linear inequality (and equality) constraints, i.e., 
it can be expressed as 

max : b T ■ x (2-1) 
s. t. A ■ x < c , 

where x, b, and c are real vectors, A is a real matrix, and x is the variable 
we want to optimize. The inequality is meant to be the component-wise 
inequalities of the entries. An x which fulfils the constraints is called feas- 
ible. The set of feasible x is convex, more precisely, a convex polytope, i.e., 
a convex set with a finite number of extremal points (vertices). A feasible 
x which maximizes the objective function b T x is called optimal solution and 
is denoted by x* . The value of b T x* , i.e., the maximal value of the object- 
ive function for a feasible x, is called optimal value and denoted by q* . The 
program is called feasible, if there exists a feasible x. If this is the case and 
the optimal value is finite, there is always a vertex of the polytope defined 
by the constraints at which the optimal value is attained. 

Any linear program can be brought in the form given above (2.1) . i.e., 
there exists a problem of the above form that is equivalent to the original 
optimization problem. For example, if the objective function should be 
minimized instead of maximized, this is equivalent to maximizing the 
objective function and replacing b by —b. In the same way, constraints 
of the form ax > c can be brought into the above form by multiplying 
them with — 1 and equality constraints ax = c can be replaced by the two 
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constraints ax < c and —ax < — c. On the other hand, an inequality con- 
straint ax < c can be replaced by an equality and an inequality constraint 
by introducing a so-called slack variable s and writing ax + s = c and s > 0. 

An important feature of linear programming is duality: The linear pro- 
gram j2.1|l is called the primal problem. From this linear program, another 
linear program can be derived, defined by 

min : c T ■ A (2.2) 
s.t. A T -X = b 
A > . 

This problem is called the dual, its optimal solution is denoted by A* and 
its optimal value by d* = c T X*. The weak duality theorem states, that 
the value of the primal objective function for every feasible x is smaller 
or equal to the value of the dual objective function for every feasible A. 
The strong duality theorem states that the two optimal values are equal, 
i.e., q* = d*. 

Theorem 2.1 (Strong duality for linear programming). Consider a linear 
program, defined by A, b, and c, and assume that either the primal or dual is 
feasible. Then q* — b T x* — c T X* — d*. 

It is therefore possible to solve a linear program either by solving the 
linear program (|2.1|l itself, or by solving its dual l|2.2| l. 

2.4.2 Conic programming 

The notion of linear programming can be generalized to conic program- 
ming [BTN01|. In linear programming, the constraints are of the form 
Ax < c, where Ax < c means that every entry of the vector Ax must be 
smaller or equal the corresponding entry of the vector c. The relation '<', 
therefore, defines a partial order on the set of vectors in 1". Many of the 
properties of linear programming follow from properties of this partial 
ordering '<', namely that it is reflexive, anti-symmetric, transitive, and 
compatible with linear operations (homogeneous and additive). How- 
ever, other ordering relations also have these properties. In fact, it turns 
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Figure 2.5: A linear programming problem. 



out that an ordering relation with the above properties (which we denote 
by '<') is completely defined by its non-negative elements. Furthermore, 
the non-negative elements must form a pointed convex cone. 

Definition 2.21. A set K of elements of a Euclidean space E, i.e., a real 
inner product space, is called a pointed convex cone if 

• K is non-empty and closed under addition: a, a' e K — > a + a' e if . 

• if is a conic set: a £ K, X > ^ Xa e K . 

• K is pointed: a e K and — a e K -> a = . 

A pointed convex cone in a Euclidean space E induces a partial ordering 
'diK ' by defining 

a ^if b b - a £ K . 

This ordering relation has the properties described above. A conic program 
is then defined as the optimization problem 

max : b T ■ x (2.3) 
s. t. A ■ x <k c , 

where if is a cone in a Euclidean space E, and A is a linear map from E" 
to E. 
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Figure 2.6: A convex optimization problem. 



The fact that the constraints are defined by a cone implies, for example, 
that the feasible region is convex (unlike in the linear programming case 
it does, however, not need to be a polytope); the optimization problem, 
therefore, does not have any local optima. 

Example 2. A linear program can be interpreted as the conic program 
where the Euclidean space is ]R™ 1 and the cone K is M™, the non-negative 
orthant of R m , i.e., 

K+ = {a= (ai,...,a m ) T € R m \ai > 0,i=l,...,m} . 

Example 3. A semi-definite program corresponds to the case where 
E = S m , the space of m x m symmetric matrices with the inner product 
(A,B) = tr(AB) = J2i,j A i] B iM The cone K is the set of symmetric 
matrices which are positive semi-definite, i.e., 

S 1 ™ = {Ae S m \x T Ax > for all x e R m } . 

The dual of the above conic program l|2.3l l is 

min : (c, A) (2.4) 
s.t. A T -X = b 

3 Note that this inner product transforms to the usual inner product between two vectors 
if the matrices A and B are transformed into vectors by 'stacking the columns on top of 
each other'. In the context of semi-definite programming we will often use matrices and the 
vectors which can be obtained from them interchangeably. 
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where K* is the dual cone of K (see Definition 12.221 below) and (c, A) de- 
notes the inner product of c and A. 

Definition 2.22. Let K be a pointed convex cone in a Euclidian space E. 
The dual cone K* of K is 

K* = {A e E\(X, a) > for all a e K} . 

The dual program gives an upper bound on the value of the primal pro- 
gram, i.e., the value of any feasible primal solution is always lower or 
equal the value of any feasible dual solution. 

Theorem 2.2 (Weak duality for conic programming). Consider a conic pro- 
gram, defined by A, b, and c, and a cone K. Then q* = b T x* < (c, A* ) = d*. 

Unlike in the linear programming case, there exist special cases of conic 
programs where the optimal value of the primal and dual program are 
different, i.e., there exists a so-called duality gap. Often, it can, however, be 
shown that the two values are indeed equal. This is, for example, the case 
when there exists a strictly feasible solution of the primal or dual problem, 
i.e., there exists an x such that Ax -<k c, where '-<' denotes the fact that 
Ax lies in the interior of the cone. 



2.5 Quantum Physics 



We first give the postulates of quantum mechanics and then the neces- 
sary definitions. For a more detailed introduction to quantum mechanics, 
we refer to [Fey6 3]lCTDL78l , and for more information about quantum 



information to [NCOOJ 



Postulates of quantum physics 

1. The (pure) state of a system is represented by a vector element 
of a Hilbert space T~L. For all c ^ e C, \ip) and c \ tp) represent the 
same state @ 



Alternatively, we could choose to normalize the vectors such that for any non-zero vec- 
tor \ip) it holds || \ip) || = 1. 
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2. An observable A is represented by a self-adjoint linear operator A on 
U, i.e., A = At. 

3. The result of a measurement of the observable A is a real number a 
that is an eigenvalue of A. 

4. If a system is in state \ip), then the probability to obtain a when the 
observable A is measured, is 

Ml p a \M 

Pr [measurement of .4 = a] = — . , ° , 

where P a is the projector onto the subspace spanned by the eigen- 
vectors of A with associated eigenvalue a. The expectation value is 

(A) = (i>\A\iP)/(m- 

5. If the system is in state then immediately after the measurement 
of A having given result a, the system is in the state | <fi) , where 

10) = Pa W , 

and |0) is an eigenvector of A associated with the eigenvalue a. 

6. The temporal evolution of an isolated system is^| 

{A){t) = {^ t \A\i> t ) = {MAt\^) ■ 

• In the Schrodinger picture 

ihj f \A) = H \^ t ) , i.e., |Vt) = e~ lHt ' h |Vo> ■ 

• In the Heisenberg picture 

±A t = l -[H,A t ]A.e.,A t = e ^t/n Ae ^m/n 
at h 

withi/ = W. 



In the above, we have used the Dime notation, i.e., elements of the Hilbert 
space are denoted by \tp), called ket, while elements of the dual space are 



5 Sometimes this postulate is stated as the requirement that the evolution of the system is 
described by a unitary operator, i.e, \tp)' = U \ip) in the Schrodinger picture. 



2.5. Quantum Physics 



41 



denoted by {ip\, called bra. The bracket ((f>\ip) is the scalar product of an 
element oiT-L with the element of the dual (</>|. And (0| A\tp), where 
A is a self-adjoint linear operator, can be seen equivalently as the case 
where the vector is \Aip) or where the dual vector is (A<p\. (A) stands for 
the expectation value and [A, B] denotes the commutator of two operators 
A and B, i.e., [A, B] = AB - BA. 



Definitions and properties 

Most of the following definitions and properties can be found in books 
on functional analysis, such as [RS8T). 

Definition 2.23. A Hilbert space % is a complex vector space, i.e., 

W)M) G^andAi,A 2 eC -> Ai + A 2 \<j>) G H 

with a positive Hermitian sesquilinear form, i.e., for all \ip) , \ <f>) G H, there 
exists (4>\ip) 6 C such that 

1. it is linear in \ip): (4>\Xiipi + \2ip2) = Ai (</#i) + A 2 <0|Va) / 

2. (0|V>) = ("010)/ where the bar denotes the complex conjugate , 

3. for all \tp) G H (tf)\t/>) > and (ip\i p) = <-> |^) = 0, the norm of a 
vector |?/>) is defined as || || = \J (ip\ip) ■ 

Furthermore, H is complete, i.e., for all \ip n ) G "H with n = 1,2,3, .. . 
such that lim n)m ^.oo II \i>n) ~ Wm) II = 0, there exists a G % such that 
lim^oo || IV'n) - \i>) II = 0, i.e., lim^oo \ip n ) = \tp). 

Definition 2.24. Let % be a Hilbert space. The rfwflZ of W, denoted by 
H* = {oj}, is the complex vector space of linear forms on H, i.e., for all 

u G H* 

with w[Ait/'i + A 2 V-'2] = Aiw[^i] + A 2 w[?/> 2 ]. 
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With every \4>) e %, it is possible to associate an element of the dual 

to,/, e U* via the relation 

\ip) ^ w^ip] = (<j>\ip) 

with = Aw^. And for every element u of %*, there also exists an 
element \<j>) oiW such that 

u#] - (<^|V) ■ 

Definition 2.25. An orthonormal basis of "H is a set of vectors { | ^ ) } ie / such 
that 

• (<pi\<f>j) = Sij for all i, j e I and 

• = for alH e J V = . 

Every Hilbert space has an orthonormal basis, but the Hilbert spaces usu- 
ally considered in quantum physics have an additional property namely 
that they have a countable orthonormal basis. 

Definition 2.26. % is called separable if it has a countable orthonormal 
basis. 

For separable Hilbert spaces it can be checked whether a set {\4>i)}i=\,2,... 
of vectors in H forms an orthonormal basis, by testing if for all 
(4>i\4>j) = and J2i \<t>i) (<£i| = !«• This implies that for any \tp) , \4>) 
e % and orthonormal basis {|^)}, it holds that 

\i>) = ^2 (faW l&) (Fourier formula) 

i 

II V'll 2 = J2 I ^<l^) I 2 (Plancherel formula) 

(</>|^>) = (0i|</>) (0i | -0) (Parceval formula). 

i 

Definition 2.27. A is a bounded linear operator on %, denoted by A e B(H), 
if 
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with j4[AiV>i + A2V2] = AiA[-0i] + X 2 A[tp 2 ] and 

II^MII 
sup < 00 . 

^0 II IV) ll 

Observables corresponding to physical quantities are bounded. Through 
the relation 

(IV) \d>) = IV) = (4>'\<f>) IV) 

we can express the operator mapping \<j>') to \ip) multiplied by {<j>\<j>') as 
|V) (<A'|- This leads to the outer product notation of A. 

Definition 2.28. The adjoint of a bounded operator ^4 is defined such 
that 

<0|A+V) = (A0|V) • 

It further holds that (AA)t = AAV (AB)t = BUt ; ||A|| = P f ||; A ft = A 
and (V|AUV) = (^Vl^V) = PV|| 2 > 0. 

Definition 2.29. A bounded operator A is called self-adjoint if A = A^ and 
it is called unitary if AA^ — A^A — l. 

Definition 2.30. Let A = A^ e If A |V) = a |V) then |V) is an 

eigenvector of ^4 with eigenvalue a and ael. 

Definition 2.31. Let H be a Hilbert space and W a subspace of "H with 
& n orthonormal basis of %' . The projector of "H onto W is the 

operator 

iei 

The projector onto a subspace of "H fulfils P = P^ = P 2 . 

Theorem 2.3 (Spectral decomposition). Let Abe a self-adjoint bounded lin- 
ear operator on % with eigenvalues {en}. Then % has an orthonormal basis 
{\4>i,k)}k=i,...,di of eigenvectors of A and 

A = J2 a ^ > 

i 

where P a% = J2k Ifa.k) (4>i,k I is the projector onto the eigenspace associated with 
the eigenvalue a\. 
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Note that the eigenspaces associated with different eigenvalues of A are 
orthogonal. 

Example 4. An example of a Hilbert space is C" with the scalar product 
(<f>,ip) = J2i=i fa^i- m this case, every vector \tp) e % and dual vector 
{4>\ e H* can be expressed as 



IV>> 



with Vi S C and for |0) e "H (0| 



0n) • 



The scalar product is 



i=i 



and the operator \<p) (ip\ is a complex n x n matrix 



(01 = 



(01 



= 



/ ^101 



\^n<t>l 



^n4>n) 



G M„(C) . 



Example 5. Another example of a Hilbert space is £ 2 (R 3 , d 3 x), the set of 
complex square integrable functions over M 3 . In this case, 

tp = ip(~x*) : M 3 -)• C, such that 

/ d 3 x |V (^) | 2 < oo . 
The scalar product is given by (<j>, ip) = / R3 d 3 x 0("af )^( ). 



When the Hilbert space is C", we will often denote the canonical basis 
vectors by |0) , . . . , \n — 1). We will call systems with n = 2 a qubit and 
denote their basis states as 



|0> 



|1> 
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Composite systems 



When describing a system that consists of two subsystems, one being de- 
scribed by a Hilbert space Hi and the other by H2, then the pure state of 
the total system can be described by the Hilbert space that is the tensor 
product of the two subspaces, i.e., H = Hi ® %2- 

The tensor product is defined such that for \ip) E Hi and \(j>) E H2, it 
associates a vector \ip) ® \<j>) EH with the property that 

c • (|V) ® = (c • |V)) ® |0) = |V) (c • |0)) 

(IVi) + IV2)) ® 10) = l^i) ® 10) + 1^2) ® 10) 

IV) ® (|0l) + 102)) = |V) ® |0l) + IV) ® 102) 

for all c e C, |Vi) , IV2) G Hi and |0i) , |0 2 ) e H 2 . 

We will sometimes drop the tensor product in the notation and write 



|0)®|1) = |0)|1) = |01) . 



The tensor product of linear operators A acting on Hi and B acting on H2 
can be defined via the relation 

(A® J B)[|V)®|0)] = (A|V))®(B|0)) . 



Note that when {|Vi)}i is an orthonormal basis of Hi and {|0j)}j is an 
orthonormal basis of H 2 , then {|Vi) ® \<t>j)}i,j is an orthonormal basis of 

H = Hi®H 2 . 

Not all states in the tensor product Hilbert space can be expressed as the 
tensor product of a state in each of the two subsystems. 

Definition 2.32. Let | V) E H = Hi®H 2 be a pure state. Then, if | V) cannot 
be expressed as the tensor product of a state |Vi) E Hi and IV2) E H2, i.e., 

IV) + IVi)® IV2) , 

the state |V) is called entangled. 
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Example 6. Examples of entangled states of two qubits are the Bell states. 
The state |*~) is also called the singlet. 

|*-) = ^(|01)-|10)) 

|*+) = -L ( |oi) + |io» 

|*-) = ^(|00)-|11)) 

|* + ) = ^(|oo) + |ii)) . 



Density operators and generalized measurements 

A useful way to represent quantum states is using density operators, i.e., 
operators on the Hilbert space. This representation has the advantage 
that the situation where a certain pure state \ipi) occurs with probability 
Pi can be modelled easily. 

Definition 2.33. A density operator is a Hermitian positive operator p with 
trace 1, i.e., 

9 = 9^ , 
tr(p) = 1 . 

The expression p ^0 means that the eigenvalues of p are non-negative. 
The density matrix p associated with a (normalized) pure state \ip) is 

IV>><# 

If a measurement A is performed on a state characterized by a density 
operator p, then 

(A) = tv(Ap) . 
The probability to obtain outcome a, is 

Pr[a 4 ] =tr(P 0i p) , 
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where P a% is the projector onto the eigenspace associated with eigenvalue 

a;. 

We observe that for the density matrix p = \ip) (ip\ associated with the 
pure state \ip), we obtain 

(A) = tr (A \ip) (ip\) = A \ip) and 

Pr[a i ]=tr(P 0i |^> (V>|) = (VI P at H) , 
p 

as expected. 

Furthermore, when the system is in state \ipi) with probability pi (this is 
called a mixed state), we associate the density matrix 

i 

with this system. Because of the linearity of the trace, A and P ai , we 
obtain in this case 

(A) =tr(A^p;|V;)(Vi|) = ^Pi{^i\M^i) and 

i i 

Pr[oi] = tr(p o< |Vi) = X> ^ P »> 1^) ' 

Note that the same density matrix p can be associated with different prob- 
abilistic mixtures of pure states. A density matrix p corresponds to a pure 
state exactly if p 2 = p. 

A state represented by a density matrix is called entangled if it cannot be 
expressed as the convex combination of the tensor product of two density 
matrices, i.e., 

p ± y^PiPi,i ® P2,i ■ 

i 

For a density matrix p on % = Hi <%> V-2, we can obtain the density matrix 
describing only the first part of the system by the partial trace over the 
second system, i.e., 



Pi =tr 2/ 9 = ^(li®(^|)p(l 1 ® \<f>i)) , 

i 
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where {\<fii)}i is a basis of "H 2 - 

In a similar way as density matrices can be seen as a generalization of the 
notion of a state, it is also possible to generalize the notion of a measure- 
ment. 

Definition 2.34. A POVM (Positive Operator- Valued Measure) is a set of 
positive Hermitian operators {E i ] l such that ^ Ei = 1. 



Note, however, that any density matrix can be seen as a pure state on a 
larger system and any POVM can be seen as applying a unitary trans- 
formation to the system and an ancilla (additional system) followed by 
a projective measurement (described by the eigenvalues and the projectors 
onto the eigenspaces of a self -adjoint operator A). 

In fact, a density operator on Hi defined by p± = J2iPi li'i) (V^l can be 
expressed as the pure state 

IV>'>=Ev^>ll^>2 

i 

in a Hilbert space H = Hi ® %2 (where the dimension of "H 2 must be at 
least the dimension of "Hi). 

A POVM element E l can be expressed as Ei = m\M 1 because it is Her- 
mitian and positive semi-definite. Define an operator U by 

W>|0>] :=^M 4 hA)|*) • 

i 

U is unitary because of the completeness relation ^ Ei = 1. If the pro- 
jective measurement defined by Pi = 1 ® \i) (i\ is applied to U[\ip) |0)], 
this corresponds exactly to applying the POVM {Ei}i to \ip). The POVM 
is, therefore, equivalent to applying the above unitary transformation and 
then performing a projective measurement. 

This argument implies that we will always be able to restrict our analysis 
to pure states and projective measurements (in a potentially larger space). 
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Classical random variables as quantum states 

A discrete random variable X with probability distribution Px can be 
represented by the density matrix 



where {la;)}^ is an orthonormal basis of a Hilbert space Wx- Measuring 
the state in this basis gives the measurement result x with probability 



Similarly the case where a quantum system is described by a different 
state depending on the value of a random variable X can also be repres- 
ented by a quantum state. More precisely by a state pxA, which is called 

classical on X. 

Definition 2.35. A state pxA such that 



where { ja:)}^ is an orthonormal basis of a Hilbert space Hx and p x A is a 
density matrix on %a is called classical on X. 

Min-Entropy 

In classical information theory tasks such as data compression or ran- 
domness extraction can be characterized by the entropy of a distribution. 
These entropies can also be defined for quantum states. We will, in par- 
ticular, use the notion of the min-entropy of a system A conditioned on a 
system B. For the definition of other entropies of quantum states we refer 
to HRen05l . 



Definition 2.36. The min-entropy of A given B of a density matrix pab on 

Ha ® Wb is 

H m in(A\B) PAB = maxsup{A <= R|2- A 1 A ® o B h Pab} , 



Y,Px{x)\x) (x\ 



X 



Px{x). 




X 



where the maximization is over all density matrices ob on . 
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In [KRS09|, it is shown that when the system A is classical, then the min- 
entropy of A given B is just the maximal probability that someone hold- 
ing the system B can correctly guess the value of A. 

Theorem 2.4 (Konig, Renner, Schaffner [KRS09J). Let pab be classical on 
H A - Then 

H min (^|B) PAB = -log 2 P gucss (A\B) PAB , 

where P guess (A\B) PAB is the maximal probability of decoding A from B with a 
POVM{E%} a onU B ,i.e., 

-Pguess(^4|-S) PAB := max 



2.6 Systems from Different Resources 

Consider a bipartite system taking an input and giving an output on each 
side. This system is characterized by the conditional probability distri- 
bution Pxy\uv of the outputs given a certain input pair. Which systems 
Pxy\uv can be realized depends on the resources that can be used to real- 
ize it. 

We can view this situation as a game, where two parties — let us call 
them Alice and Bob — are allowed to agree on a strategy, but are then 
put into separate rooms. Later, they are asked questions by a referee — 
Alice is asked question u of some set U, but does not know Bob's question 
v € V and Bob gets question v, but does not know u. Their goal is to 
give answers x G X (for Alice) and y e y (for Bob) according to the 
distribution Pxy\uv using the resource at their disposition. 

One possible such resource is, of course, communication. If Alice and 
Bob are allowed to communicate u and v to each other and then decide 
on their answers together, it should be possible for them to realize any 
conditional probability distribution Pxy\uv- (If Alice and Bob are also 
able to make coin tosses locally.) 

In the following, we will characterize n-party systems that can be imple- 
mented using different resources. The resources we consider are, how- 
ever, such that they do not allow for communication. An n-party sys- 
tem is denoted by Px\u> where X is a vector of n random variables 
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X = Xi . . . X n . In the case of two parties, we will sometimes write 
Pxy\uv- Sometimes, we will also consider the case when two parties, 
Alice and Bob, share a (2n)-party system and will denote this system by 
Pxy \uv i n order to make clear which random variable is associated with 
which party. For a (2n + 1) -party system, associated with Alice, Bob and 
Eve, we will use the notation Pxyz\uvw- 

2.6.1 Local systems 

The first resource we consider is shared randomness. More precisely, we 
assume that Alice and Bob are allowed to discuss a strategy and make an 
arbitrary number of coin tosses. But after they are separated, they are only 
allowed to base their answers on the question they have obtained, and the 
value of the shared randomness. The strategies can be considered deter- 
ministic, i.e. given a certain value of the shared randomness r the strategy 
of Alice tells her exactly which answer x to give as function of the ques- 
tion u and the same for Bob. Indeed, any strategy of Alice which chooses 
an x probabilistically as function of u and r can be expressed as a determ- 
inistic strategy by incorporating Alice's local randomness into the shared 
randomness R. The distributions Pxy\uv that can be generated this way 
by Alice and Bob are called local. Formally, we define the following. 

Definition 2.37. An n-party system P x \u is called local deterministic if 
Px\u(x,u) = Y[6 Xi ,fn Ui ) , 

i 

where 5 denotes the Kronecker delta, i.e., the function 8 a _ b = 1 if a = b 
and otherwise, and where /' : Ui -> Xi is a function associating with 
each an x t . 

Local systems are all the ones which can be expressed as convex combin- 
ations of local deterministic systems. 

Definition 2.38. An n-party system Px\u is called local if 

Px\u(x, u) = p R( r ) ■ II 

r i 

with J2 r PR( r ) = 1- A distribution which is not local is called non-local. 
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The space of local probability distributions is a convex polytope and its 
vertices are the local deterministic distributions. A convex polytope can 
be described either in terms of its vertices or, alternatively, as an intersec- 
tion of a finite number of halfspaces (see, e.g., IBV04I ). In the context of 
local probability distributions, these halfspaces correspond to so-called 
Bell inequalities [Bel64]. Informally speaking, a Bell inequality is an upper 
bound on a linear combination of the probabilities Px\u( x i u ) that must 
hold for all local distributions Px\u- 

Definition 2.39. A Bell inequality is an inequality of the form 

^2q(x,u)P x]u (x,u) < c 

x.u 

that must hold for any local distribution Px\Ui an d where q : A"xW->M 
is a function associating with each value of x and u a real number, and c 
is a real number. 

If a distribution Px\u violates a Bell inequality, this proves that it is non- 
local. The reverse argument is also possible: Any non-local distribution 
lies outside the local polytope and, therefore, must violate some Bell in- 
equality. 

The best-known example of a Bell inequality is the one given by Clauser, 
Home, Shimony and Holt [CHSH69], also called CHSH inequality. This 
inequality is the only one relevant for bipartite systems with binary in- 
puts and outputs, in the sense that any non-local system of this type must 
violate it, possibly using a relabelling of the inputs and outputs. 

Example 7 (CHSH inequality ICHSH69J). For any local system Pxy\uv 
with X = y = U = V = {0, 1} it holds thatf 1 

4 Pxy\uv{x,V,u,v) < -. 

(x,y,u,v):x($y= u-v 



6 Originally | CHSH69 1, the Bell inequality was stated in terms of systems giving outputs 
in { — 1, 1}, in which case the inequality reads 

{XoY ) + (X Yi> + (XiYo) - (XiYi) < 2 , 

where Xo stands for the random variable X given input u = 0, and (XqYq) denotes the 
expectation value of the random variable Xo Yo ■ 
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Figure 2.7: A local deterministic system. In this notation, a local determin- 
istic system corresponds to the selection of a line (column) for each input, 
as indicated by the arrows. The CHSH inequality (Example 01 corres- 
ponds to the condition that the sum of the entries in the hatched cells is 
at most 3. This system, therefore, reaches the maximal possible value for 
a local system. 



For a specific system Pxy\uv (not necessarily local), we will sometimes 
call the value of the expression on the left-hand side in the above inequal- 
ity the Bell value (or CHSH value) of this system. A generalization of the 
CHSH inequality to systems with more inputs has been given by Braun- 
stein and Caves [ BC90J. 

Example 8 (Braunstein-Caves inequality [BC90]). For any local system 
Pxy\uv with X = y = {0, 1} andW = V = {1, . . . , N} it holds thafl 

I N u+1 

2n \J2Y1 £ PxY\uv(x,y,u,v) 

yu=l v=u (x,y):x=y 

+ J2 Pxy\uv( x > Vi N, 1) J <1~2^. 

(x,y):x=£y I 



7 The Braunstein-Caves inequality was also originally given in terms of correlations of 
systems with outputs in { — 1, 1}. 
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2.6.2 Quantum systems 



Consider the setup where Alice and Bob are allowed to discuss a strategy 
and use shared randomness (as above), but in addition they are allowed 
to share a — possibly entangled — quantum state. Alice and Bob can 
now base their answers on the shared randomness, but also on the meas- 
urement outcomes they obtain from measuring the quantum state. Which 
measurement they perform can, of course, depend on the shared random- 
ness and on the question they have obtained. 

Interestingly, the set of probability distributions which can be obtained 
this way is strictly larger than the local set described above. I.e., these 
distributions can be non-local. This is what is meant by the expression 
'quantum mechanics is non-local' @ 

Definition 2.40. An n-party system Px\u> where X — Xi . . . X n , is called 
quantum if there exists a pure state \i>) 6 H = ® 4 Hi and a set of measure- 
ment operators {E**} on Hi such that 

i 

The measurement operators are 



1. Hermitian, i.e., E*** = E** for all Xi, u,, 

2. orthogonal projectors, i.e., E** EZ\ = E^8 XiX >., 

3. and sum up to the identity, i.e., ^ E** = t-n i for all itj. 



As we have seen in the previous section, it is not a restriction to assume 
the quantum state to be pure and the measurements to be projections, 
since any quantum state can be represented as a pure state in a larger Hil- 
bert space and measurements as projective measurements by introducing 
an ancilla (see Section l231 l. 

In finite dimensions, the requirement that the measurements act only on 
one part of a larger tensor-product Hilbert space is equivalent to the re- 

8 Quantum physics is sometimes said to be a local theory, meaning that it is not possible 
to act on a system that is in a distant location. We will call this property non-signalling (see 
Section lZOl 
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quirement that all operators associated with different parties commute. 
See, e.g., IDLTW08I or IWeh08l for an explicit proof. 

Theorem 2.5. Let % be a finite dimensional Hilbert space and {E**} be a set 
of Hermitian orthogonal projectors with J2 Ui ^ut = ^- Assume further that 
[E^,Eut] = for all Xi,Xj,Ui,Uj where i ^ j. Then there exists a unitary 
isomorphism between % and W = "H- such that in E*'. are of the form 
E%* ® 1 and where E** acts on only. 

For any (n + l)-party quantum system, the marginal and conditional sys- 
tems are also quantum systems. This follows from the postulates of quan- 
tum physics, but we give a direct proof in terms of systems below. 

Lemma 2.6. Let Pxz\uw be an (n + \)-party quantum system. Then the mar- 
ginal system Px\ui x , u ) '■= J2 Z Pxz\u,w( x , z , u i w ) an d the conditional sys- 
tem P X \u,w=w,z=z(x,u) := P X z\uw{x, z,u,w) / P z]w=w {z) are n-party 
quantum systems. 



Proof. For the marginal system, take the same state and the measure- 
ment operators {E**} for all i < n. The measurement operator associ- 
ated with the n th party are {E* n ® l"H„+i}- They fulfil the requirements 
because they are part of the requirements of the operators of the (n + 1)- 
party quantum system and remain valid when tensored with the identity. 
It then holds that 



P X \U(X,U) = ®l«n +1 |^) 

i 

i z 



^2Pxz\uw(x,z,u, 



«') 



For the conditional system take the state 

1 
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where tui...„ = anc ^ the measurement operators {i^}. 



1 



Hi 



IS 



1 



Hi 



1 



1 



Pz\w=w{z) 



Pxz\uwi x , z , u ,w) . 



□ 



The set of quantum systems is convex, but it is not a polytope, i.e., the set 
of its extremal points is infinite. 

Example 9. The system in Figure [2~8l is a quantum system. It can be ob- 
tained by measuring the state = (|10) - 101>)/%/2 using the operators 
K = (*S| and Ev = |$«) (<Z>v\ as given below. 



*8> 


= ^(|o> + |i» 


*S) = 


*(|o>-|i» 


*?) 


= 10) 


*i> = 


|i) 


H) 


- ^ 2 -^|o) ^ 2 +^|l) 


*&) = 


^ 2 +^|o) + ^ 2 -^|i) 


|$?) 


- ^ 2 +^|0) ^ 2 -^|i) 


$}) = 


V2-V^| 0)+ V2+V^| 1} 



*7 1 
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Figure 2.8: A quantum system. 
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The system in Figure IZ8l fulfils 



4 



1 



E 



PxY\uv(x,y 7 u,v) 



2_+Vg 
4 



0.85 , 



(x,y ,u,v):x($y=u-v 



i.e., it violates the Bell inequality of Example[7]in Section l2.6.1l Although 
quantum systems do not need to respect Bell inequalities, there exist limit- 
ations on the violations which can be reached by quantum systems. These 
limitations are called Tsirelson bounds, after Tsirelson, who showed, in par- 
ticular, that the above quantum system reaches indeed the maximal pos- 
sible CHSH value ITii80l . 

2.6.3 Non-signalling systems 

The set of systems that can be obtained by measuring a quantum state is 
strictly larger than the local set, but these correlations still do not imply 
communication. The behaviour on her side does not give Alice any in- 
formation about the question Bob has obtained. This property is called 
non-signalling. We can consider the systems which can be obtained when 
Alice and Bob are allowed to share as resource an abstract device taking 
inputs and giving outputs on each side, under the sole condition that this 
device cannot be used for signalling. This set of non-signalling systems 
contains the set of quantum systems as a proper subset. 



Definition 2.41. An n-party system Px\u is called non-signalling if for any 
set/ C {!,..., n], 



holds for all xj, uj, u\, uj, and where uj stands for the variables with 
indices in the set /, uj = {ut\i g /}, and uj for the variables with indices 
in the complementary set, i.e., uj = {ui\i ^ /}. 

This definition implies that, for any partition of the interfaces of the sys- 
tem, from the interaction with one set of the interfaces no information 
can be inferred about the inputs that were given to the remaining set of 
interfaces. This condition is actually equivalent to requiring that the be- 
haviour of all but one interfaces gives no information about the input that 
was given to this one interface. 



E p x\u{x,u u uj) = ^2 p x\u( 



X,u'j,Uj) 
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Lemma 2.7. An n-party system Px\u ' s non-signalling if and only if for all 
i € {l,...,n}, 

^2Px\u(x,Ui,Ui) = ^P X | t/ (a;,u-,Mj) , 
where u\ stands for u± . . . Ui—xUi+i . . . u n . 

Proof. The condition is necessary, because it is simply the non-signalling 
condition for the set I = {«}. To see that it is sufficient, note that for any 
set/ 

Y p x\u(x,u)= Y p x\u(x,ui,Uj) 

= Y ^PxpfaviwyM) 

xr.iei\{j} xi 

= Y £ P X|l/(!B,«AW» tt i) 
Xi-.i£l\{j} Xj 

xr.iel\{j'} Xj> 

= Y Y p x\u( x > u i\{o,fh u '{j,f}) 
xi-.iei\{j'} x jt 

= Y P x\u(x,u'j,u T ) . □ 

Xi'.i^il 

Since the set of non-signalling systems can be described by linear con- 
straints on the probabilities describing the system, it is often easier to deal 
with the strictly larger set of non-signalling systems than with the set of 
quantum systems. The set of non-signalling systems, in fact, forms again 
a convex polytope. 

Example 10 (The PR box [PR94]). The system in Figure IZ9l is a non-sig- 
nalling system. It is called a PR box after Popescu and Rohrlich [ PR94 1 . 

The PR box (Figure EH l reaches 

| Y Pxy\uv(x,V,u,v) = 1 , 

(x,y,u,v):x(By= u-v 
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Figure 2.9: The PR box. The non-signalling condition corresponds to the 
requirement that the two hatched areas contain the same probability (and 
similar for other outputs). 



i.e., it not only violates the Bell inequality of Example[7]in Section l2.6.1l it 
also reaches the maximum of this expression. 

For an (n + l)-party non-signalling system Pxz\uw> the marginal and 
conditional systems are well-defined and, again, n-party non-signalling 
systems. 

Lemma 2.8. Let Pxz\uw be an (n + l)-party non-signalling system. Then the 
marginal system 

Px\u{x,u) :=^P xz]u ^ w (x,z,u,w) 

z 

and the conditional system 

Px\u,w=w,z= z (x,u) := — — ^—rPxz\u,w(x,z,u,w) 

rz\W=w\ z ) 

are n-party non-signalling systems. 



Proof. Let us first see that the conditional systems are non-signalling. By 
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Lemma 1271 it holds that for each i, 

Xi Xi 

Dividing both sides by Pz\w=wi z ) implies that the conditional system 
Px\u,w=w,z=z(x, u) is non-signalling. 

The marginal system is non-signalling because it is a linear combination 
of conditional systems and because the non-signalling condition is linear. 

□ 

This property justifies dropping the input of the other parts of the system 
in the notation when considering the marginal system associated with a 
non-signalling system. 



Chapter 3 



Security Against 
Non-Signalling Adversaries 

3.1 Introduction 

Non-signalling cryptography (sometimes also called relativistic cryptography), 
as introduced by Kent, bases its security on the impossibility of signal- 
ling between space-like separated events, as predicted by relativity theory. 
In secure multi-party computation, the property guaranteeing security is 
that any choice made during the protocol must be independent from any 
event occurring in a space-like separated location. In this way, realizing 
a secure coin toss by two mistrustful parties is straight-forward [Ken99a|: 
Both parties choose a value and send them to each other simultaneously. 
The outcome of the coin toss is the XOR of the two values. Both players 
only accept if they receive the message from the other player such that it 
must have been sent from the location of the other player before the recep- 
tion of their own message. Since each player must have chosen its value 
independently of the other player's, they cannot bias the outcome of the 
coin toss. Based on the same principle, protocols for bit commitment can 
also be defined IKen99bUKen05UCol06l . 

In [BHK05[, Barrett, Hardy, and Kent proposed a protocol for secure key 
agreement based on the non-signalling principle (see Section [T73b . The 
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case of key agreement works slightly differently from the above descrip- 
tion, because there are two players which cooperate and trust each other 
(as opposed to the case of multi-party computation, where the players 
cooperate but do not trust each other). On the other hand, the eaves- 
dropper cannot be forced to interact with the legitimate parties. The non- 
signalling condition then enters the argument via the requirement that 
Alice and Bob must not be able to signal to each other by interacting with 
their quantum systems even given the eavesdropper's measurement outcome. 
The secrecy of the key bit is based on the fact that there exist non-local cor- 
relations which imply that the outcomes must be completely independent 
of any information the eavesdropper can possibly hold. These correla- 
tions can be realized by measuring an entangled quantum state and addi- 
tionally have the property that Alice's and Bob's outcomes are perfectly 
correlated. These properties are exactly what is necessary for a secure 
shared bit. 

An advantage of non-signalling key agreement is that its security proof is 
based on observed correlations. It is independent from the question how 
these correlations were realized, such as the physical particles used to dis- 
tribute them, the dimension of the Hilbert space or the exact working of 
the measurement device. These protocols are, therefore, naturally device- 
independent. Of course, allowing an adversary to do anything compatible 
with the non-signalling principle might be more than what a quantum ad- 
versary can do. However, Barrett, Hardy, and Kent's protocol implies that 
security is possible in principle even against such powerful adversaries. 

The protocol of Barrett, Hardy, and Kent (see Figure [L3l p. [TOt is secure 
against the most general type of attacks — in the context of quantum key 
distribution these are called coherent attacks. The adversary can directly 
attack the key, independently of whether the physical realization of the 
protocol was made using several systems. Unfortunately, the security 
of the resulting key bit is only proportional to the number of systems 
and measurement bases used. Furthermore, the correlations need to be 
perfect for Alice and Bob not to abort, i.e., no noise can be tolerated. These 
properties imply that the protocol has zero key rate. 

When restricting the type of attacks an adversary can make, these prob- 
lems can be overcome. In fact, there exist (noisy) non-local correlations 
with a finite number of inputs that imply partial secrecy against a non- 
signalling eavesdropper, i.e., the outcome can be biased but not perfectly 
known. When Eve has to try to guess each bit of the raw key independ- 
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ently and individually, i.e., she is restricted to individual attacks, this im- 
plies that Alice and Bob can extract a secure key by appl ying infor mation 
reconciliation and privacy amplification [AGM06. AMP06. SGB+06J. This 
works in the same way as against a purely classical adversary. However, 
generally we would not like to make such a restriction and it is unclear 
whether these schemes remain secure. In fact, consider privacy amplific- 
ation: Alice and Bob apply a public hash function to their raw key. An 
adversary able to do arbitrary attacks can now directly attack the final key, 
without having to learn anything about the raw key. Indeed, in Chapter|5] 
we show that, unless Alice and Bob apply further countermeasures, the 
final key is only roughly as secure as the individual bits against a non- 
signalling adversary able to do collective attacks. 

In this chapter, we study privacy amplification of non-signalling secrecy 
under the following such countermeasure: We require the non-signalling 
condition not only to hold between Alice, Bob, and Eve, but also between 
each of the subsystems. 



Chapter outline We first characterize the exact possibilities that a non- 
signalling adversary has to attack a system (Section l3.2l l and give the de- 
scription of the setup we consider (Section l3.2.2l l. We show how non-local 
systems can imply partial secrecy against non-signalling adversaries in 
Section l3.3.11 and give a general way to calculate the secrecy of a bit using 
a linear program (Section l3.3.2l l. In Section l3.4.11 we consider the case of 
several systems and express the non-signalling condition for several sys- 
tems in terms of the non-signalling conditions for the subsystems. This 
insight leads directly to an XOR-Lemma for non-signalling secrecy, i.e., 
the XOR can be used as a fixed privacy-amplification function, see Sec- 
tion 13.4.21 In Section 13.51 we construct a general key-agreement scheme 
from several partially secure non-signalling systems, and give a specific 
protocol in Section 1531 



Related work The idea of basing secrecy on the non-signalling prin- 
ciple was introduced by Barrett, Hardy, and Kent [BHK05J. Key agree- 
ment against non-signalling adversaries when allowing restricted (indi- 
vidual) attacks was shown in HAGM061 IAMP061 ISGB+06I . In IIMas09l , 
Masanes showed that privacy amplification against non-signalling ad- 
versaries works using a fixed function if an additional non-signalling con- 
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dition holds between the subsystems. The proof is specific for the case of 
the CHSH inequality or its generalization, the Braunstein-Caves inequal- 
ity (see Section \2.6. It , and is non-constructive, i.e., no explicit function 
for privacy amplification is given. Recently, Masanes showed that, in the 
above case, choosing th e privacy amplification from a two-universal set 
is sufficient lMRW+091 . 

Contributions The main technical contributions of this chapter are 
Lemma 13.121 relating the non-signalling condition of several systems to 
the ones for each subsystem and the XOR-Lemma for non-signalling se- 
crecy (Theorem 13.1b . Some results of this chapter have previously been 
published in IHKWIOI . 



3.2 Modelling Non-Signalling Adversaries 




Figure 3.1: The tripartite scenario including the eavesdropper. 

In non-signalling key distribution, the measurements of Alice and Bob 
on some kind of physical system are abstractly modelled as a probability 
distribution Pxy\uv- This distribution must be non-signalling. A non- 
signalling adversary is an additional interface to the system shared by Alice 
and Bob, such that the resulting tripartite system Pxy z\uvw is still non- 
signalling between all parties. Of course, there is no need to limit the hon- 
est parties to two, there could be arbitrarily many: Alice, Bob, Charlie, etc. 
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In particular, the case when Alice and Bob share n different subsystems 
can be seen as the case of 2n parties (plus the eavesdropper). The fact that 
we model the eavesdropper as a single interface even if the honest parties 
share several subsystems reflects the eavesdroppers ability to attack all 
systems jointly. 

In fact, the only restriction we will make on the ways the adversary can 
interact with the system is that the system between the honest parties and 
the adversary is non-signalling. 

Condition 1. The system Pxyz\uvw must be a (2n + l)-party non-sig- 
nalling system. 

The non-signalling condition is motivated by quantum mechanics where 
measurements on different parts of an entangled quantum state cannot 
be used for message transmission. It, therefore, follows from the assump- 
tion usually made in quantum key distribution that, once the physical 
system is distributed, it can be modelled as an entangled quantum state 
and each party can only act (perform a measurement) on their part of the 
Hilbert space. However, Condition[T]is really equivalent to the condition 
that the honest parties have secure laboratories, in the sense that no (un- 
authorized) information must leak to any other party — in particular, no 
information is leaked via the physical system. It is clear that no crypto- 
graphy is possible if this condition does not hold, for example, if Alice's 
laboratory contains a transmitter sending the key (or even the secret!) to 
the eavesdropper (see also Section [L2)l . Note that the non-signalling con- 
dition between the honest parties and their subsystems can be guaranteed 
by either building several laboratories within the laboratories or by meas- 
uring the physical systems in a space-like separated way3, in which case 
information transmission between them is ruled out by relativity theory. 

3.2.1 Possible attacks 

In order to define the exact possibilities a non-signalling adversary has 
to attack a system, we define a non-signalling partition as a convex decom- 
position of the non-signalling system Px\u ( see Figure l33t . 

1 In special relativity, space-like separated means that the coordinates of the events fulfil 
c 2 At 2 — | AHt\ 2 < 0, where c is the speed of light, and implies that there exists a reference 
frame according to which the two events occur simultaneously. 
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Figure 3.2: Alice and Bob share n systems. Eve can attack all of them at 
once. 
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Figure 3.3: By Lemmas I3.1l and 13. 21 an attack of the eavesdropper corres- 
ponds to a choice of convex decomposition. Her outcome is an element 
in the convex decomposition. 



Definition 3.1. A non-signalling partition of a given n-party non-signalling 
system Px\u is a family of pairs {(p Zw /P^jj)} z w , where p Zw is a weight 
and Pxijj is an n-party non-signalling system, such that 

Px\u = Y,P Zw ■ P x\u ■ (3-D 

Zw 

The non-signalling partition defines exactly the possible extensions of a 
given ri-party non-signalling system to an (n + l)-party non-signalling 
system and, therefore, the possibilities a non-signalling adversary has to 
attack the system Px\u- This is stated in Lemmas 13.11 and 13.21 

Lemma 3.1. For any given (n + l)-party non-signalling system, Pxz\uwr 
any input w induces a non-signalling partition of the n-party non-signalling 
system Px\u> parametrized by z, with p z ™ := Pz\w=w(z) and Px\v := 

Px\U,Z=z.W=w 
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Proof. Since Pxz\uw is an ( n + 1) -party non-signalling system, the mar- 
ginal system Px\u and the conditional systems Px\u,z=x,w=w are n-party 
non-signalling systems. For a given W — w, Pz\w=w is a probability dis- 
tribution and, therefore, p z ™ := Pz\w=w( z ) is a weight. Equation 0.1|l 
holds by the definition of the marginal system. □ 

Lemma 3.2. Given an n-party non-signalling system Px\u> ^ VV be a set 
of non-signalling partitions, w — {(p Zw , ^xz|u)}z„- T/zen t/ie (n + \)-party 
system where the input of the last party is w £ W, defined by 

Pxz\u,w(x,z,u,w) :=p Zw -P^fou) , 

is non-signalling and has marginal system Px\u- 



Proof. To see that it has the correct marginal system, note that for any w, 
Tlz w P Zw ' p x\u = p x\u by ( |3.U . To see that it is non-signalling, consider 
Lemma 1271 p.|58] We have 

^2 p xz\uw(x, z, u h uj, w) = p xz\uw(x, z, u'i, vq, w) 

Xi Xi 

because the conditional systems P x w : u (x,u) are n-party non-signalling. 
Additionally, 

^2 p xz\uw(x, z, u,w) = p xz\uw(x, z, u, to') , 

z z 

holds by IE). □ 



3.2.2 Security of our key-agreement protocol 

The setup we consider (see Figure |34)| is the one where Alice and Bob 
share a public authenticated channel plus some kind of physical system, 
modelled as a non-signalling system. They can interact with the physical 
system (i.e., give inputs and obtain outputs). Using the public authentic- 
ated channel, they can then apply a protocol to their inputs and outputs 
in order to obtain a shared secret key 

Eve can wire-tap the public channel, choose an input on her part of the 
system and obtain an output. The following lemma states that it is no ad- 
vantage for Eve to make several non-signalling partitions (measurements) 
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instead of a single one, as the same information can be obtained by mak- 
ing a refined non-signalling partition of the initial system. Without loss 
of generality, we can, therefore, assume that Eve gives a single input to 
the system at the end (after all communication between Alice and Bob is 
finished). 

Lemma 3.3. Let w be a non-signalling partition of a non-signalling system 
Px\u> with elements {{p Zm , P^ v )} Zm , and let w' z be a set of non-signalling par- 
titions of the non-signalling systems Pjqu' elements 

Z Zw - Z 'w' 

{{p w '*)P x \u *)}«' , ■ Then there exists a non-signalling partition of P X \u 

z' Zw - Z 'w' 

with elements {(p z ™p w '* , P x \u * )}z w ,z' , ■ 

Proof. Since p Zw and p™'* are weights, their product is also a weight. The 

distributions Px\u * are n ~P ar ty non-signalling systems because they are 
elements of the non-signalling partition w' z . Finally, 

Z -w> Z ' w l Z ™ ^ Z ™' ' 

= Y,P Zu, - p x\u = p x\u, 

z w 

where we have first used that w' z is a non-signalling partition of P^m an d 
then that w is a non-signalling partition of Px\u- d 

In our real scenario (see Figure [3~4t , Alice, therefore, uses the inputs and 
outputs U and X of the system and the information Q exchanged over 
the public authenticated channel to create a string Sa- Bob uses V and 
Y and the information Q to create Sb ■ Eve obtains all the information 
Q exchanged over the public authenticated channel, can then choose the 
input to her system W (which can depend on Q) and finally obtains the 
outcome Z of the system. 

We define security by comparing this real scenario to an ideal scenario 
which is secure by definition (see Section [23) . In the ideal scenario, Alice 
and Bob output the same uniformly distributed string, and the system 
Eve interacts with is completely uncorrelated with it. Our goal is to 
bound the distinguishing advantage between the real and ideal system. 
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Figure 3.4: Our real system (top). Alice and Bob share a public authen- 
ticated channel and a non-signalling system. When they apply a protocol 
(it, it') to obtain a key, all this can together be modelled as a system. In 
our ideal system (bottom), the system outputs a uniform random string S 
to both Alice and Bob. We also use an intermediate system (middle) in our 
calculations, which outputs Sa to both Alice and Bob. 
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In order to bound the distance between the real and ideal system, we 
introduce an intermediate system (see Figure [374b . Using the triangle in- 
equality (Lemma 12.51 p. [32) we can bound the distance between the real 
and ideal system by the sum of the distance between real or ideal system 
and the intermediate system. Note that the distance between the real and 
intermediate system is the parameter characterizing the correctness of the 
protocol, whereas the distance between the intermediate and the ideal 
system characterizes the secrecy (see Section l2.3.2|l . 

In order to estimate the secrecy of the protocol, we introduce the distance 
from uniform of the key string Sa from the eavesdropper 's point of view. 
We will in the following call it the distance from uniform ofSA given Z(W n - s ) 
and Q, where we write Z(W n - s ) because the eavesdropper can choose the 
input adaptively and the choice of input changes the output distribution. 

Definition 3.2. Consider a system <5> rea i as depicted in Figure [3741 The 

distance from uniform of Sa given Z(W n - s ) and Q is 

d(S A \Z(W n - s ),Q) 

= o maX y2 P Z,Q\W=w(z,q) ■ \Ps A \Z=z,Q=q,W=w{sA) ~ Pu(sa)\ , 

Z L — ' win— s * — * 
SA,q z 

where Pjj := and the maximization is over all non-signalling sys- 

tems PxYZ\UVW- 



It will be useful to define the distance from uniform of a string S given a 
specific adversarial strategy w. To denote this difference, we will denote 
the strategy by a lower case letter. 

Definition 3.3. The distance from uniform of S given Z(w) and Q is 
d(S\Z(w),Q) = ^^2^2Pz,Q\w=w(z,q) ■ 

s.q z 



Ps\Z=z,Q=q,W=w(s) 



\Sa\ 



The following corollary is a direct consequence! of the definitions of the 
systems in Figure [73741 and the distinguishing advantage. 

2 Note that, because the system considered is non-signalling, we can think of a box giving 
outputs indexed by w, Z w , of which one is selected instead of a system taking input W. 
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Corollary 3.1. Assume a key Sa generated by a system as given in Figure \3J\ 
Then 



The distance from the intermediate system to the real system is exactly 
the probability that the real system outputs different values on the two 
sides. This is again a direct consequence of the definitions. 

Corollary 3.2. Assume a key Sa generated by the intermediate system S- in t 
depicted in Figure \3A\ Then 



By the triangle inequality for the distinguishing advantage of systems 
(Lemma l2.5l p.l32l, we obtain the following statement. 

Lemma 3.4. 



In order to prove security we will, therefore, have to show that this quant- 
ity is small, more precisely, we will show that S(S Te& \,Sid sa l) < e, which 
implies that the key-distribution scheme is e-secure. 



3.3 Security of a Single System 

3.3.1 A bipartite system with binary inputs and outputs 

Let us consider the case where Alice and Bob share a non-signalling sys- 
tem which takes one bit input and gives one bit output on each side. Alice 
and Bob choose a random input and obtain the output. Then, they ex- 
change their inputs over the public authenticated channel, i.e., Q = (U — 
u, V — u)H and take directly the output bit as secret key, i.e., Sa = X. 

3 In a certain abuse of notation, we will allow Q to consist of both random variables and 
events that a random variable takes a given value. In case of such events, U = u, this 
means that the distance from uniform will hold given this specific value u, whereas taking 
the expectation over Q will correspond to taking the expectation over all the 'free' random 
variables contained in Q. 



<5(Sint,Sidcal) = d{S A \Z(W a - s ),Q) . 




SA^SB 



£(<S rca l,5ideal) — ^O-'real) <% n t) + £(<5>int, ^ideal) ■ 
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Assume that the system fulfils 

~ ^2 Pxv\uv{x,y,u,v) = 1-e, 

{x : y : u : v):x(By— u-v 

i.e., for e < 1/4, the system is non-local (see Definition 12.391 p. [52] and 
Example[Zl p.l52ll. Our goal is to show, that the bit X is partially secret. In 
fact, its secrecy is proportional to the parameter e. We do not consider the 
correctness for the moment. 
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Figure 3.5: A system with Pr[A" ®Y = U -V] = l-e. 
More precisely, we show the following statement. 

Lemma 3.5. Let Pxyz\uvw be a non-signalling system with X = y = U = 
V = {0, 1} such that the marginal Pxy\uv fulfils 

j p XY\uv(x,y,u,v) = l-e 

and let Q := (U = u,V = v). Then 

d(X\Z{W n - s ),Q)<2e. 

Proof. Consider w.l.o.g. the case X = 0. We call £j the probability that 
X®Y^U-V for the inputs {(0, 0), (0, 1), (1, 0), (1, 1)}, respectively. 
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Suppose w.l.o.g. that the input was (0, 0), so X should be maximally 
biased for this input. Since it holds that Pr[X © Y ^ U ■ V\U, V = 0, 0] = 
ex, the bias of Y, given U = V = 0, must be at least p — E\ (see Fig- 
ure I3.6|) . Because of non-signalling, X's bias must be p as well when 
V = 1, and so on. Finally Pr[X © Y ^ U ■ V\(U, V) = (1, 1)] = e 4 im- 
plies p - e 2 - (1 - (p - e x - e 3 )) < e 4 , hence, p < (1 + J2i £ *)/ 2 = V 2 + 
Now consider a non-signalling partition of Pxy\uv parametrized by z. 
Let e z denote the error of the system given Z = z, i.e., e z — ^i,«)/4. 
Since this system must still be non-signalling, the bias of X given Z = z, 
U = u and V = v is at most 2e z by the above argument. However, 
Pxy\uv = J2 Z P Z ' p xy\uv implies e = J2 Z P Z ' £ z an d mis holds for 
all values of X, therefore, d(X\Z(W n - B ), Q) <J2 Z P Z ' 2e z = 2e. □ 
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Figure 3.6: The maximal bias of the output of a system with Pr[X © Y — 
U-V] = l-e. 



Note that there is a non-signalling partition, given in Section l53l reaching 
this bound. 

Systems Pxy\uv with e € [0,0.25) are non-local, i.e., they violate a Bell 
inequality, more precisely the CHSH inequality given in Example [TJ p. [52] 
For any of these systems, Eve cannot obtain perfect knowledge about 
Alice's output bit, and it, therefore, contains some secrecy. 
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3.3.2 The general optimal attack on a bit 



Now consider the case when a bit B = f(X) is obtained from the out- 
puts of an n-party non-signalling system with arbitrary input and output 
alphabet. This includes, in particular, the case where Alice and Bob share 
a bipartite non-signalling system and the bit is a function only of Alice's 
outputs, i.e., the situation we will consider for key agreement. The inputs 
as well as the function / are communicated over the public authenticated 
channel, i.e., Q = (U = u,F = /). What is the maximal distance from 
uniform given an adversary's output variable Z this bit can have? 

Finding the maximal distance from uniform corresponds to finding the 
'best' non-signalling partition, from the adversary's point of view. We 
first show that it is enough to consider non-signalling partitions with two 
elements. 
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Figure 3.7: In order to find the distance from uniform of a bit, it is enough 
to consider non-signalling partitions with two elements (Lemma 13. 6b . 



Lemma 3.6. Assume there exists a non-signalling partition w' with 
d(f(X)\Z'(w'),Q), where Q = (U = u,F = /). Then there exists a non- 
signalling partition w with the same distance from uniform with Z G {z , zi} 
and such that P(f(X) =0\Q,Z = z ) > 1/2 and P(f(X) =0\Q,Z = Zl ) < 
1/2. 



Proof. Assume that the non-signalling partition has more than two ele- 
ments. Define a new element (p z °, Px°\u^ ^y 



p z . 
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where the set z[, . . . , z' m is defined to consist of the conditional systems 
such that P(f(X) = 0\U = u, Z = z[) > 1/2 (p 2 ° can be 0). Sim- 
ilarly define (p Zl , Px\u) as the convex combination of the remaining ele- 
ments of the non-signalling partition. Since the space of non-signalling 
systems is convex, this forms again a non-signalling partition, and it 
reaches the same distance. □ 



We can simplify the problem even further, such that we only need to con- 
sider a single element of the non-signalling partition. The reason is that 
given one element of a non-signalling partition with two elements, the 
other one is uniquely determined by the fact that the sum of the two is 
the marginal system, i.e., 

Lemma 3.7. Consider a non-signalling partition w with element (p,Px\u) 
such that P(B = 0\Q, Z = z ) > 1/2 with B = f(X) and Q = (U = u,F = 
/). Then the distance from uniform of B given the non-signalling partition w 
andQ = {U = u,F = f) is 

d(B\Z(w),Q) - V ■ {P(B = 0\Q, Z = z )- P{B = 1\Q,Z = *„)) 

- 1 --{P{B = Q\Q)-P(B = l\Q)) , 

where P(B = 0\Q) stands for J2 x -.f( x )=o p x\u(x, u). 



Proof. W.l.o.g. assume that P(B = 0|Q, Z = z x ) < 1/2. By Definition ECO 
p.l27l the distance from uniform of B given the non-signalling partition 

w and Q = (U = u, F = /) is 

d(B\Z(w),Q) 

= V (p(B = 0\Q,Z = z )-^\ +(l-p). \^-P(B = 0\Q,Z = z 1 ] 

= I . p . (P( S = 0|Q, Z = zo)- P(B = 1|Q, Z = z )) 

+ \ ■ (1 - P) ■ (P(B = l\Q, Z = z x )- P(B = 0|Q, Z = Zl )) 
= p ■ (P(B = 0\Q, Z = Zq)- P(B = l\Q, Z = zo)) 
-±-(P(B = 0\Q)-P(B = l\Q)), 
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where we have used that (1 - p)Px\ v = p x\u - P p x\u- n 



We have reduced the question of the maximal distance from uniform 
given a non-signalling partition to the problem of finding the 'best' ele- 
ment (p, Px\u) or a non-signalling partition. The question remains to be 
answered, when ip,Pxm) * s element of a non-signalling partition. The 
criterion is given in Lemma [3781 



Lemma 3.8. Given a non-signalling system Px\u> there exists a non-signalling 

It 



partition with element (p, P^m) tf an d only if for all inputs and outputs x, u, 



p-P^ lu (x 1 u)<Px\u(x,u). (3.2) 



Proof. The non-signalling condition is linear and the space of conditional 
probability distributions is convex, therefore a convex combination of 
non-signalling systems P X \u ^ s a non-signalling system. In order to prove 
that the outcome zq can occur with probability p it is, therefore, sufficient 
to show that there exists another outcome z\ which can occur with 1 — p, 
and that the weighted sum of the two is Px\u- If p x\u * s a normalized 
and non-signalling probability distribution, then so is Px\xj' because the 
convex combination of the two, Px\u> is also non-signalling and normal- 
ized. Therefore, we only need to verify that all entries of the comple- 
mentary system Px\u are between and 1. However, this system is the 
difference 

P x\u = T L p -(Px l u-p- pZ x° l u)- 

Requesting this to be greater or equal to is equivalent to H3.2I I. We ob- 
serve that all entries of Px\u are sma U er or equal to 1 because of the 
normalization: If the sum of positive terms is 1, each of them can be at 
most 1. □ 



The above argument implies in fact, that the maximal distance from uni- 
form can be calculated by the following optimization problem — a linear 
program. 
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max: P ' P x\u( x ' M ) ~ H P-^xV^'^ 

x:B=0 x:B=l 

~ \ H P- p x\u{x,u) + - P-Px\u(x,u) 

x:B=Q x:B=l 

s.t. P-Px\u non-signalling 

P ' Px\u( x > u ) — ® f° r a ^ x i u 

P ' P x\u( x > M ) — p x\u{ x -> u ) for all x, u . 

We give a slightly different form of this optimization problem, where in- 
stead of the variable pPx\v we optimize over a variable A = 2pP^, v ~ 
Px\u- A can be seen as a non-signalling system which does not need to 
be normalized nor positive. Why we use this form will become clear in 
Section|3j] 

Lemma 3.9. The distance from uniform of B = f(X) given Z(W n - s ) and 
Q := (U = F = f) is 

d(B\Z(W D ^ s ),Q) = yb T -A* , 

where b T A* is the optimal value of the linear program 

max: A(x,u) — A(x,u) (3.3) 

x:B=0 x:B = l 

s. t. A(x, Ui, ui) — A(x, u'^ui) = for all x, m, u' i} uj 

A(x, u) < Px\u( x > u ) for all x, u 
A(x, u) > —Px\u( x i u ) f or a U x t u ■ 

Proof. We show that every element (p, Px\u) or a non-signalling partition 
corresponds to a feasible A, and vice versa. 

Assume an element of a non-signalling partition, (p, Px\jj)' an d define 

A(x,u) = 2p-P^ lu (x,u)-P x \u(x,u) . 

A fulfils the non-signalling conditions by linearity. The positivity of p 
and Px\u( x ' M ) — imply A(a;, tt) > —P x \u{ x ^ u ) an d pPx\u( x -> u ) — 
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Px\ui x , u ) (Lemma |3.8|I implies A(x,u) < P x \u{ x i u )- A is, therefore, 
feasible. 

To see the reverse direction, assume a feasible A. Define 

p = \- (i + E^' --- ) 

X 

)*o t«..\_ Px\u{x,u) + A(x,u) 



p x\u( x ' u ) ~ op 

o 

'I I 



(For completeness, define Px\u( x > u ) = Px\u( x , u ) m casep = 0.) To see 



that (p, Px\jj) ls e l emen t °f a non-signalling partition note that, because 
of the non-signalling constraints, E x A(x, ... 0) = J2 X A(x, u ') f° r a ^ 
u' . I.e., p is independent of the chosen input and the above transformation 
is, therefore, linear. This implies that Px\v is non-signalling. Since 

V p*°( x , u) = V Px ^ u) + ^ u) = 1 + & - *> = i , 

X|l/V ' ; Z^ 2 » 2n 

a; a: 

it is normalized. Since — Px\u( x > u ) < A(x,u) < P X \u{ x i u ) an d 
Ex p x\u(x, u) = 1, it holds that -1 < Y, x A (a;, ... 0) < 1 and this im- 
plies Px\u( x > M ) — i-e-/ ^x|i7 * s a n on-signalling system. By Lemma 13151 
(p, Px\u) * s e l emen t °f a non-signalling partition because 

= -•(Px|t/(x,u) + A(x,u)) 
< Px|Lr(ai,w) • 

The value of the objective function for any A is exactly twice the dis- 
tance from uniform reached by the non-signalling partition with element 

(P^xiu)- 

A(»,u)- A(x,u) = (2p-Px\u( x > u )- p x\u( x ,u)^) , 

x:B=0 x:B=l x:B=0 

which is exactly twice the distance from uniform by Lemma [377j □ 



Note that the linear program of Lemma [3.9l can be expressed either in its 
primal or dual form (see Section l2.4.1jl . 
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PRIMAL 

max : b T ■ A (3.4) 



s.t. 



/ 


A n — S ' 




( \ 






•A < 







1 




Px\u 


V 


-1 J 




\ p x\u J 



A 



The dual of the above linear program has the form 



DUAL 




(3.5) 



1 -A = 6 



A T 



A > 



As an example, consider again a system with binary inputs and outputs, 
i.e. the case we have already studied in Section l3.3.1l We give the explicit 
forms of A, b, and c below. 



Example 11. For a bipartite system taking one bit input and giving one 
bit output on each side, A, b, and c have the form 
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and 



A n - 

lie 
V -lie J 



0l6 
0l6 
PxY\UV 
\PxY\UV ) 



1\ 
1 




-1 
-1 













with Pxy 



\uv 



/P(0,0,0, 


0)\ 


P(0,1,0, 


0) 


P(0,0,0, 


1) 


P(0,1,0, 


1) 


P(1,0,0, 


o) 


P(1,1,0, 


o) 


P(1,0,0, 


1) 


P(1,1,0, 


1) 


P(0,0,1, 


o) 


P(0,1,1, 


o) 


P(0,0,1, 


1) 


P(0,1,1, 


1) 


P(1,0,1, 


o) 


P(l,l,l, 


o) 


P(1,0,1, 


1) 


\P(1,1,1, 


1)/ 
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1 


-1 


-1 
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-1 


-1 
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-1 


-1 
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-1 











-1 
















1 











1 











-1 











-1 
















1 











1 











-1 
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1 











1 











-1 











- 1 / 



Since a linear program can be solved either in its primal or its dual form, 
we could as well have solved the dual problem d3 -5ft in order to obtain 
the distance from uniform of the bit B, instead of the above linear pro- 
gram. The dual is a minimization problem, and therefore, any feasible 
solution of the dual program is an upper bound on the distance from uni- 
form of the bit B. We further observe that the dual feasible solutions are 
independent of the marginal probability distribution as seen by the hon- 
est parties, and that the value reached by the dual feasible solution can be 
expressed in terms of the marginal probability distribution. 

Lemma 3.10. For any dual feasible solution of the linear program ( 13. 3P (see 
i3.5[ ), there exists an event £ defined by the inputs and outputs of the system 
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Px\u an d (independent) randomness such that the value of &3.5i is proportional 
to the probability of this event, and, therefore, d(f(X)\Z(W n - s ), Q) < d/2 = 
c T X/2 oc P{£). 

Note that Lemma [3.101 holds , in particular, for the optimal dual solution, 
which implies that the distance from uniform is proportional to some 
event defined by the random variables, i.e., the secrecy of the bit can be 
inferred from the behaviour of the marginal system. 

Proof. The value of d(f(X)\Z(W n - B ), Q) is bounded by the value of any 
dual feasible solution, i.e., it is of the form c T A/2, where c contains the 
probabilities Px\u( x > u ) ( a H other entries are 0) and A > 0. Therefore, 
it can be expressed as a weighted sum of the probabilities Px\ui x > u )- 
If all weights have the same value, this implies that the optimal value 
is proportional to an event £ defined by X and U. If not all weights 
have the same value, define for each x and u an additional random coin 
which takes value 1 with probability Aj/maxj(Ai). The optimal value is 
then proportional to an event £ defined by X and U and the additional 
random coin taking value 1. □ 

Example 12. Let us come back to the above example of a bipartite system 
with binary inputs and outputs. It can easily be verified that the following 
is a dual feasible solution of the linear program: 

» T = (| i | | | | | | ••• 

1 0101000000101000000010100100000 1) 

(it is also optimal for systems with e < 0.25). To obtain the value of the 
objective function (c T AJ), the first part of A J will be multiplied by 0, i.e., 
does not contribute to the value. The second part is multiplied by Pxy\uv- 
We can easily see by comparison that for every x,y,u,v such that x © y ^ 
u ■ v, there is exactly one 'V in the second part of \\ and everywhere else 
A^ is 0, i.e., 

cT ' A i= F xY\uv(x,y,u,v) . 

x ,y ,u,v:x(By^u-v 



This confirms the results of Section l3.3.1l 
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3.4 Several Systems 

3.4.1 The non-signalling condition for several systems 

We have already seen that the distance from uniform of a bit obtained 
from any (not necessarily bipartite) non-signalling system can be 
obtained by a linear program l|3.3b . In this section, we study the structure 
of the space describing n-party non-signalling systems, and show that 
the non-signalling condition for n parties can be expressed as function 
of the non-signalling condition of the different parts it consists of. More 
precisely, we show that the non-signalling condition of an (n + m)-party 
non-signalling system is just the tensor product of the non-signalling con- 
dition for an n- and an m-party non-signalling system. 

Note that the probabilities describing an (n + m)-party non-signalling 
system can be seen as living in the tensor product space of the vector of 
probabilities describing each subsystem. 

Lemma 3.11. Let Px 1 \Ui be an n-party non-signalling system, and write A n ^ B 
for the matrix describing the non-signalling conditions this system fulfils, i.e., 
A n _ s ^P Xl \u 1 = 0. Similarly, let Px 2 \u 2 ^ e an ni-party non-signaling system 
fulfilling A n - s . 2 P X2 \ U2 = 0. Then the (n + m)-party system P Xl x 2 \u 1 u 2 is 
non-signalling exactly if 



Proof. The non-signalling conditions for the n-party non-signalling sys- 
tem are of the form 



The conditions (A n - S .i ® l n - s ,2) ■ Px 1 x 2 \u 1 u 2 = 0, therefore, correspond 
to conditions of the form 



(A n _ B) i <g> l n _ Si2 ) ■ Px 1 x 2 \u 1 u 2 = and 
{t n -s,i ® A n _ S)2 ) ■ Px^u^ = . 



xi,uij,«u) = . 




i x 1 x 2 \u 1 u 2 {xi,x 2l u' ll ,u 1 - il u 2 ) = , 
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(and similarly for the second system) which must hold for any (n + m)- 
party non-signalling system by Definition l2.41l p.l57l By Lemma lZTl p.l58l 
these conditions are also sufficient. □ 

The above argument implies that in the linear program (13.3b , the non- 
signalling condition can be replaced by this 'tensor product' expression 
instead of directly requiring the system to be ?i-party non-signalling. 



3.4.2 An XOR-Lemma for non-signalling secrecy 

We can now show that non-signalling secrecy can be amplified by a de- 
terministic privacy-amplification function, namely the XOR. Assume that 
Alice and Bob share a system giving rise to a (non-local) probability dis- 
tribution Pxy\uv- Assume further that from this distribution a bit, f(X), 
can be extracted and that this bit is partially secret by the non-signalling 
condition. Then the bit obtained from n copies of the distribution 
Pxyiuv anc ^ kv XORing the n partially secret bits together is insecure 
only if all the n copies are insecure. 

The key observation in order to show that the XOR of several partially 
non-signalling secure bits is highly secure, is that the linear program de- 
scribing the distance from uniform of this bit is the tensor product of the 
'individual' linear programs in the sense that its constraint matrix A n is 
A® n and the objective function b n = b® n . The vector c„ does not need to 
be of product form, because a (2n)-party non-signalling system does not 
necessarily need to consist of n independent bipartite non-signalling dis- 
tributions. The linear program can be taken to be of the following form: 

max : {b® n ) T ■ A (3.6) 
s. t. A® 71 ■ A < c n . 

Lemma 3.12. Let A\, b\, and c\ be the vectors and matrices associated with 
the linear program (13. 4P calculating the maximal distance from uniform of a bit 
f(Xi) of an n-party non-signalling system Px ± \U! an d similarly call A 2 , bi, 
and C2 the vectors and matrices associated with the distance from uniform of a 
bit g(X 2 ) of an m-party non-signalling system Px 2 \u 2 - Then the distance from 
uniform of the bit B = f(Xi) ® g(X 2 ) is bounded by the linear program A, b, 
and c, where A = A\ ® A 2 and b~b\® b 2 . 
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Proof. Let us first verify that the constraints need to hold. Lemma 13.111 
implies that for any A associated with an (n + m)-party non-signalling 
system, (A\ ® 1) A < must hold, and similarly with the sign on the left- 
hand side reversed and for the non-signalling condition of the m-party 
system. (Ai ® ^.2) A < holds because it is a linear combination of the 
conditions of the form (Ai £g) 1)A < 0. The condition of the form (1 ® 
1)A < Px 1 x 2 \u 1 u 2 must hold by Lemma 13. 81 

It remains to see that b can be taken of this form, b is equal to where 
either b\ or b 2 is equal to 0, equal to 1 exactly where both b\ and 62 are 
equal to 1 or both are equal to —1. It is equal to —1 where b\ and 62 are 
equal to 1, —1 or vice versa. This models exactly the vector b associated 
with the bit B = f(X{) ® g(X 2 ). ' □ 

Now switch to the dual form of this linear program. 

min : cj> • A„ 
s. t. {A® n ) T ■ A„ = b® n 
A„ > 

It is now straight-forward to see that if A was a feasible solution for a 
single copy of the system, then A n = A® n is a feasible solution for the 
dual of the n copy version and, therefore, an upper bound on the distance 
from uniform of the bit B = ■ Bi. 

Lemma 3.13. For any Ai which is dual feasible for the linear program A\, b\ 
associated with the non-signalling system Px 1 \u 1 ana * ^2 which is dual feas- 
ible for the linear program A 2 , b 2 associated with the non-signalling system 
Px 2 \u 2 > A = Ai (g) A 2 is dual feasible for the linear program A, b associated 
with P Xl x 2 \u 1 u 2 - 

Proof. By Lemma l3J2l A = A x ® A 2 and b = bi® b 2 . Therefore, 

A ■ A = {A-i ® A 2 ) ■ (Ai ® A 2 ) = (Ai ■ Ai) ® (A 2 ■ A 2 ) = 61 ® b 2 . 

Furthermore, Ai, A2 > implies Ai ® A2 > 0. Therefore, A is dual feasible. 

□ 

If the marginal c n of n systems has product form, the value of this dual 
feasible solution — and, therefore, an upper bound on the distance from 
uniform of the key bit — is c^A„ = (<S>i c f) (<S>,^) = <8>i( c f^) = 
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Yii( c I^i)' i- e -' the same value as if each of the n systems was attacked 
individually. If c n does not have product form, then the value is still 
bounded by the probability that the event (defined by the input/output 
configurations such that the bit is insecure (Lemma 13.10b ) occurs for all 
the n copies of the system as stated in the following lemma. 

Theorem 3.1 (XOR-Lemma for non-signalling secrecy). Let P Xl \Ui beann- 
party non-signalling system and f(Xi) a bit such that 
d(f(Xi)\Z(W n - s ), Q) < k\P{£\)/2, where S\ is an event defined by X\ and 
U\ (and maybe independent randomness). Similarly, let Px 2 \u 2 be an m-party 
non-signalling system with associated bit g(X 2 ) and d(g(X<z)\Z(W n - s ), Q) < 
k 2 P(£ 2 )/2. LetQ= (U = u,F = f, G = g). Then 

d{f{X 1 )®g{X 2 )\Z{W n - s ),Q) < i • fci • fc 2 • A £ 2 ) . 

Proof. This follows directly from Lemma l3.13l □ 

Example 13. Let us come back to the example of Section 13.3.11 (see also 
Example [Till where Pxy\uv is a (2n)-party non-signalling system and 
each random variable is a bit. We have seen, in Example [TJJ that the 
distance from uniform of each bit is upper-bounded by 

d(Xi\Z(W n - s ),Q) < i ^2 Px t Y t \UivMnyi' U n v i) ■ 

Xi,yi,Ui,Vi :xi^yi^=Ui -Vi 

Therefore, 

uv (x,y,u,v) . 

i x.y.u^v.Xi^yi^UfVt Vi 

3.5 Key Distribution from Non-Signalling Sys- 
tems 

In this section we show how we can use the XOR-Lemma established in 
the previous section to obtain a device-independent quantum key-agree- 
ment protocol. An explicit example of such a protocol can be found in 
Section l331 
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A (quantum) key-distribution protocol usually proceeds in several steps. 
First, Alice and Bob use the quantum channel. They distribute entangled 
quantum states and measure them in order to obtain (classical) input 
and output values. Then they sacrifice some of their systems (data) to 
check whether an eavesdropper was present and whether their data is 
good enough to establish a key. This step is called parameter estimation. 
Then, they do classical post-processing to transform their weakly correl- 
ated data into bit strings which are almost certainly equal, i.e., they do 
information reconciliation. Finally, they do privacy amplification, i.e., they 
apply a function to their partially secure bit strings in order to obtain a 
shorter, but highly secure key. 

We have to show two things about this key (see Section l2.3.2l l: The prob- 
ability that Alice's and Bob's key are not equal is small (correctness) and, 
the adversary knows almost nothing about this key (secrecy). Together, 
(Lemma 12.51 p. 1521 these two properties imply that the key is close to a 
perfect key. Note that the key can be of zero length (i.e., Alice and Bob 
abort the protocol), in which case correctness and secrecy both trivially 
hold. This situation occurs if the parameter estimation step indicates that 
the systems are not good enough for key agreement. If the adversary has 
full control over the systems which are distributed (the channel), it is not 
possible to require that a key is always generated, because the adversary 
could just interrupt the communication line. Of course, we would like a 
key to be generated if the adversary is passive. This property of a key- 
distribution scheme is called, robustness. Robustness characterizes the 
probability that the protocol aborts even though no adversary is present. 



3.5.1 Parameter estimation 

The goal of parameter estimation is for Alice and Bob to test whether the 
systems they have received are good enough to do key agreement. They 
execute a protocol where they interact with their systems and then output 
either 'accept' or 'reject'. If the systems have the necessary properties for 
key agreement, they should output 'accept', while if they have not, they 
should output 'reject'. 

Definition 3.4. A parameter estimation protocol is said to e-securely filter 
systems Pxy\uv of a set V (or string pairs (x, y) of a set B) if on input 
Pxy\uv £f(or(x,i/)€B) the protocol outputs 'abort' with probability 
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at least 1 — e. 

Definition 3.5. A parameter estimation protocol is said to be e' '-robust on 
systems Pxy \uv of a set V if on input Pxy\uv G P the protocol outputs 
'abort' with probability at most e'. 

Before starting the protocol, Alice and Bob fix its parameters, more pre- 
cisely, the probabilities k and p and values e and 5. 

Protocol 1 (Parameter estimation). 

1. Alice and Bob receive Pxy \uv- 

2. Alice chooses U such that for each i with probability 1 — k, it holds 
that E/j = Mfc, where Uk is the input from which a raw key bit can be 
generated, and with probability k she chooses one of the \U | inputs 
uniformly at random. 

3. Bob chooses V such that Vi = Vk with probability 1 — k and with 
probability k, Vi is chosen uniformly at random. 

4. They input u and v into the system and obtain outputs x and y. 

5. They send the inputs over the public authenticated channel. 

6. If less than (1 — k) 2 pn of the inputs were (Ui,Vi) — (uk,Vk) they 
abort. 

7. If any combination of the possible values of {u%,v^) (where k de- 
notes the inputs which were chosen uniformly at random) occurred 
less than /s 2 pn/|W||V| times, they abort. 

8. From the inputs (u^, v^), they estimate Pxyuv(x, y, u, v), i.e., they 
calculate the fraction of times they obtained a certain combination 

x,y,u,v. CaE this distribution P^yuv If \ u \\ v \ p xyuv T x ^ e > 
where A is a dual feasible solution of (|3.5b , or if P cst (A" ^ Y\U — 
Uk,V = Vk) > S, they abort. Else they accept. 

We define the set V as the set where we would expect an adversary not to 
know a lot about the output of the system. 
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Definition 3.6. The set V are all distributions Pxy\uv such that 

^XY\UV ' A ^ £ 



for some dual feasible A. Furthermore, the set V v are all distributions 
Pxy\uv such that P£ Yluv \® n >(e + vT 



The quantity relevant for our security parameter is Px k Y k \u k v k ^ k ' 
where Px k Y k \u k v k is the marginal distribution of the systems which will 
be used to create the key. This quantity is directly proportional to the fre- 
quency of a certain event defined by X,Y,U, V of the system 
Pxyuv = Pxy\uv/\M\\V\ an d we will be able to apply classical 
sampling. 

Lemma 3.14. Protocol^\e-securely filters V v with 

t I V V 2 

€ = 2e 16 V l«l|V|A ma x I 

where t = k 2 pn and A max = max, A*. 



Proof. We want to bound Pxyyuv^®"' Note that 

Pxy\uv ' ^ = MM ' Pxyuv ' ^ = MM ' ^™ ' Pxyuv ' VVax 

if the inputs are chosen uniformly. Since A/A max < 1, the last part is di- 
rectly the probability of an event described by x, y, u, v (and maybe inde- 
pendent randomness, see Lemma [3.10|l . Estimating PxY\uv^ n within 
an error rj corresponds to estimating the probability of this event within 
tj/\U\ I V|A max . The claim now follows directly by applying Lemma l23l 

p. ESI □ 

Definition 3.7. The sets V% is defined as in Definition 13.61 but where 
Pxy\uv = Px k Y k \u k v k is the (2fc')-party marginal of a (2n)-party non- 
signalling system. 

Lemma 3.15. Let Pxy\uv be a (2n)-party non-signalling system not in V v . 
And let Px k Y k \u k v k ^ e the (2k')-party marginal non-signalling system for some 
randomly chosen set of size k'. Then Px k Y k \u k v k & > except with probabil- 
ity 
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Proof. This is again a direct application of the Sampling Lemma (Lem- 
ma 12.31 p.l28ll, the same way as in the proof of Lemma 15. 141 □ 

Lemmas 13.141 and 13.151 imply that, if the parameter estimation protocol 
does not abort, then, almost certainly, the systems which will be used for 
key generation are such that a secure key can be generated. 

Lemma 3.16. Protocol\l\ei-securely filters V^ +f> with 

t I >; 'l 2 k' ( f, \2 

£l = 2e 16 M«l|V|A max ) _|_ 2e 16 ^ l«l|V|A m ax ) 

where t = k 2 pn and A max = max^ A^. 

Proof. This is a direct consequence of Lemmas l3~14l and l3.15l □ 

Now let us also see that the parameter estimation protocol will abort 
on inputs for which the information reconciliation might not work and 
where Alice and Bob might, therefore, obtain different keys. 

Definition 3.8. The set B are all pairs of n-bit strings (x, y) such that 
d}i(x,y) < 8n. The set B v are all pairs of n-bit strings {x,y) such that 
dn(x,y) > (5 + ri)n. By B n k we denote are all pairs of k' -bit strings (xk,yk) 
such that du{x k ,yk) > (6 + T])k', 

Lemma 3.17. Let (xk, yt) be the outputs on input (i7j, Vi) — (uk,Vk). Then 
protocol^e 2 -securely filters (x k ,y k ) e B2 +f> ,for anyrj,fj > 0, with 

e 2 = 2e-Ts r ' 2 + 2e-^ 2 (3.7) 
with t' = k 2 pn/\U\\V\ and k' = (1 - k) 2 pn. 

Proof. This follows from applying Lemma l2.3l p.l28ltwice. □ 

Lemmas 13.161 and 13 . 1 71 imply that Protocol [1] either aborts, or the key cre- 
ated will be both secret and correct. The probability that the parameter- 
estimation protocol lets a 'bad' system pass is at most e = e\ + e 2 , i.e., it is 
e-secure for some e e 0(2~ n ). 

Let us also verify, that there exist input systems on which the parameter- 
estimation protocol does not abort, i.e., it is robust. 
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Definition 3.9. The set V n are all distributions Pxy\uv such that 

p XY\uv x ® n < (e™ 7 ?)™ and E {x ,yy.d H ( x ,y)> m P XY\U= Uk ,V=v k (x>y) < 
(S — rj) m for all m. 

Note that, for example, the distribution describing n independent sys- 
tems of which the individual systems are 'good enough' is in this set. 

On an input in V^ v , the probability that the parameter-estimation pro- 
tocol aborts is 0(2~"), i.e., the protocol is robust. 

Lemma 3.18. Protocol^is e' '-robust on V~ v with 

t ( v \ t ! 2 

e' = 2e _TFl - i"iiviA max ) _)_ 2 e ~ 

+ e -2n((l-p)(l-fc) 2 ) 2 + | W || V | . e - 2 "( I W^) ^ 

where t = k 2 pn and t' — k 2 pn/\U\\V\ 

Proof. The probability to wrongly estimate the frequency is given by Lem- 
mas 13.141 and 13.171 The last two terms are the probability that any in- 
put combination does not occur often enough and follow directly from a 
Chernof f bound (see Lemma 12. 11 p . [27|| . □ 



3.5.2 Information reconciliation 

Information reconciliation [BS93J is the process responsible to make Alice's 
and Bob's data highly correlated, i.e., if we consider Bob's string as an 
erroneous version of Alice's, then information reconciliation corresponds 
to error correction. The idea is that Alice applies a function to her data 
and sends the function value to Bob. Bob searches the value 'closest' to 
his data that maps to this function value and should, almost certainly, be 
able to recover Alice's data. 

Definition 3.10. Let V be a set of distributions Pxy (or B a set of bit- 
string pairs (x, y)). We say that an information reconciliation protocol is 
e-correct on V (or B), if on input Pxy € V ((x, y) e B) it outputs x' , y' 
such that x 1 ^ y' with probability at most e. 
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possible values from 



f(X) 




Figure 3.8: The principle of information reconciliation. Alice sends to Bob 
the function / and the value of the function applied to x, f(x). Bob can 
then recover the value of x. 



We will only consider one-way protocols, where Alice sends information 
about her string to Bob, but Bob does not send anything. In that case, 
x = x', and only Bob changes his string. 

Definition 3.11. Let V be a set of distributions Pxy- We say that an 
information reconciliation protocol is e-robust on V if on input Pxy € V 
it aborts with probability at most e. 

We will actually consider protocols where Alice and Bob never abort. 
But it is possible to introduce different protocols where Bob has a small 
chance to abort, for example, if he cannot find a suitable y' or if he finds 
more than one suitable y' . 

Protocol 2 (Information reconciliation). 

1. Alice obtains x and Bob y (distributed according to Pxy) with X = 
y = {0, 1}™. Alice outputs x' = x. 
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2. Alice chooses a matrix A E M mxn (GF(2)) at random and calculates 
r = A & x (where '0' denotes the multiplication over GF(2)). 

3. She sends the matrix A and r to Bob. 

4. Bob chooses y' such that dn(y,y') is minimal among all strings z 
with f(z) = A x (if there are two possibilities, he chooses one at 
random) and outputs y' . 

To see that this protocol works, we need a result from [CW77[ about two- 
universal sets of hash functions and from [ BS93 1 about information recon- 
ciliation. 

Definition 3.12. A set of functions T such that / : X — > Z is called two- 
universal if Pr/[/(a;) = fix 1 )] < l/\Z\ for any x,x' e X, and where the 
function / is chosen uniformly at random from T . 

Theorem 3.2 (Carter, Wegman HCW77I ). The set of functions f A (x) := A&x, 
where A is ann x m-matrix over GF{2), is two-universal. 

Brassard and Salvail [BS93J (see Theorem l4.5l p>. 1131b showed that inform- 
ation reconciliation can be achieved by a two-universal function. We give 
a slightly modified version of their result in Lemma \3. 191 

Lemma 3.19. Let x be an n-bit string and y another n-bit string such that 
dft(x, y) < S'n. Assume the function /: {0, 1}™ — > {0, 1}™ is chosen at ran- 
dom amongst a two-universal set of functions. Choose y' such that dn(y, y') is 
minimal among all strings r with f(r) = fix). Then 



where h(p) = —p ■ \og 2 p — (1 — p) log 2 (l — p) is the binary entropy function. 

Proof. The probability that a y' =/= x with dn(x, y') < S'n are mapped to 
the same value by /, when / e T is chosen at random, is 



Pr[a; ^ y'] < 2 



in-/i(t)') — rn 




□ 
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Lemma 3.20. Protocol\2\is t-correct on input (x, y) such that dn(x, y') < S'n, 
with 

Proof. This follows directly from Lemma 15.191 □ 
Lemma 3.21. Protocol\2\is 0-robust on all inputs. 

Proof. There is always a y' such that A y' = r, because A Q x = r. 
Therefore, the protocol never aborts. □ 

The above lemmas show that in the limit of large n, m = \n ■ h(8')~\ 
(where 8' is the fraction of Bob's bits which are different from Alice's and 
h the binary entropy function), is both necessary and sufficient for Bob 
to correct the errors in his raw key, i.e., the protocol is e-correct for some 

e e 0{2~ n ). 



3.5.3 Privacy amplification 

After Alice and Bob have done information reconciliation, they hold (al- 
most certainly) the same strings. Eve might have some information about 
this string. Privacy amplification [BBR88 , ILL89 ] is the process making from 
this string a highly secure key. The idea of privacy amplification is very 
similar to the one of information reconciliation: Alice and Bob apply a 
(public) function to their data. As long as Eve does not know the initial 
data perfectly, she will know almost nothing about the function value. 

We now want to show that privacy amplification against non-signalling 
adversaries is possible using a random linear function, i.e., by applying 
the XOR to randomly chosen subsets of the bits. In Section l3.4.2l we have 
seen that a secure bit can be created using the XOR. Let us first estim- 
ate what the security of the XOR of a random subset of the outputs of a 
system e V can be. 

Lemma 3.22. Let cbea random vector of length n over GF(2), and Pxy\uv <= 
V an {2n)-party non-signalling system. Call S c = c X. Then 

d{S c \Z(W n -,),Q) < ]- ( 1+ l + T] ) + e"* + e-fcUiv?w) a 
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possible values from 
Eve's point of view 

-X 




wwwww 



possible function values 
from Eve's point of view 

Figure 3.9: The principle of privacy amplification. Alice and Bob apply 
a public function to x to obtain f(x). Eve, who does not know x exactly, 
knows almost nothing about f(x). 



where Q = (U = u,V = v, C). 



Proof. We need to estimate Pjr Y \u v ^ s ^ or some randomly chosen set 
S. We distinguish two cases depending on the size s of the set S. By the 
Chernoff bound (see Lemma lZTl p.ETll, s < n/4 happens with probability 
at most . For s > n/4, by Lemma |3. 141 Pj£ Y \ u v ^ S ^ s a * mos t 
(e + fi) s , except with probability 2e~^ WTvfcs) < 2e~^ WTvfc^r) , 
The distance is bounded by half the sum of the two terms. We obtain the 
statement by taking the average over all possible choices of sets S, using 
the binomial formula, i.e., J^i (i) 2 ^ = (1 + x ) n > an d me union bound. □ 



Let us now calculate the security of a key S, where each key bit is the XOR 
of a random subset of the raw key. We first reduce the security of the key 
S to the question of the security of every single bit. 
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Lemma 3.23. Assume S := [Si, . . . , S s ], where the Si are bits. Then 
d(S\Z(W n _ s ), Q)<J2 d(Si\Z(W n - s ), Q,Si,..., St-i) . 

i 

Proof. 

d(S\Z(W n _ s ),Q) 



Emax 
w:n— s ^ — ' 



3,q 



P. 



'S,Z,Q\W=w( s i z , q) — ' Pz,Q\W 



=w(z,q) 



< > max > 



\Ps,z,Q\w=w(s,z,q) 



■ Ps 1 ...s s - 1 ,z,q\w=w(si, ...,s Sl ,z,q)\ 



Ps u Z,Q\W=w(si,Z, q) 



Pi 



Z,Q\W=w 



(z,q)} 



<J2d(Si\Z(W^ s ),Q,Si,...,Si-i) 



where the first equation is by the definition of the distance from uniform 
and the second inequality holds by the triangle inequality. □ 

We, therefore, need to bound the distance from uniform of the i th key bit 
given all previous bits. 

For this, we need to show a few lemmas. The first one states that the linear 
combination of two random bit vectors (modulo 2) is again a random 
vector. The second one implies that in order to bound the distance from 
uniform of the i th bit given all previous bits, it is enough to bound the 
distance from uniform given all linear combinations of these bits. 

Lemma 3.24. Assume u and v are n-bit vectors and P v is the uniform distri- 
bution over all these vectors. Define the vector w = u v. Then w is again 
distributed according to the uniform distribution, i.e., 



P u ^ Pu P v ^ Pu {u ®v) = P w ^ Pu {w) 



Proof. The uniform distribution over all n-bit vectors can be obtained by 
drawing each of the n-bits at random, i.e., P(0) = P(l) = 1/2. The XOR 
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of two random bits is again a random bit, i.e., P(0) = P(l) = 1/2 and 
therefore, w is also a vector drawn according to the uniform distribution 
over all n-bit vectors. □ 

Lemma 3.25. Let Si , . . . , Sk be random bits. If Sk is uniform given all linear 
combinations over GF{2) of Si, ... , Sk-i, i.e., it holds that P Sk \Q iEi s,(0) = 
P Sk \ © ieI s, (1) for all I C {1, . . . , k - 1}, then S k is uniform given Si,..., 
Sk-i,ie., Ps k \ 8l ...8 k -d ) = p s k \s 1 ...s k - 1 (^)- 



Proof. We prove the case k = 3, the general case follows by induction. 
We have to show that if Ps 3 \S!> P.s 3 \s 2 an d -Ps 3 |SieS2 are uniform, then 
Ps 3 \s 1 s 2 i s uniform. Consider the probabilities Ps 1 s 2 s 3 - Since Ps^S! is 
uniform, we obtain the constraints on Ps 1 s 2 S 3 (we drop the index) 

P(Q, 0, 0) + P(0, 1, 0) = P(0, 0, 1) + P(0, 1, 1) (3.8) 
P(l, 0, 0) + P(l, 1, 0) = P(l, 0, 1) + P(l, 1, 1) . 

Since Ps 3 \s 2 is uniform, 

P(0, 0, 0) + P(l, 0, 0) = P(0, 0, 1) + P(l, 0, 1) 

P(0, 1, 0) + P(l, 1, 0) = P(0, 1, 1) + P(l, 1, 1) . (3.9) 

And from the fact that Pg 3 | Slffi 5 2 is uniform, we obtain 

P(0, 0, 0) + P(l, 1, 0) = P(0, 0, 1) + P(l, 1, 1) (3.10) 
P(0, 1, 0) + P(l, 0, 0) = P(0, 1, 1) + P(l, 0, 1) . 

Subtract CI3 from (EHJl and add (|3~T0l to obtain 

2 • P(0,0,0) = 2 • P(0,0,1) 

which implies 

P Sl s 2 s 3 (0,0,0) 



-fs 3 |Si=o,s 2 =o(0) - 



P5 1 s 2 s 3 (0,0,0) + P Sl s 2 S3 (0,0,1) 
fs 3 |Si=o,s 2 =o(l) • 



Uniformity of Si and S2 follows in an analogous way. □ 



Now we can calculate the distance from uniform of the i bit given the 
bits 1 to i — 1 by the union bound. 
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Lemma 3.26. Let Pxyiuv € P an d S := A X, where A is ai x n-matrix 
over GF(2) and be Pa the uniform distribution over all these matrices. Q := 
(U = u,V = v,A). Then 

d(Si\Z(W n - s ),Q,Si,...,Si-i) 

< *± ( 1 + £ 2 + lY + 2*- Vt + VftUnfer)' . 

Proof. By Lemma 13.251 bounding the distance from uniform of Sj given 
Si, . . . , corresponds to bounding the distance from uniform of Si 
given all linear combinations over GF(2) of Si, ... , S,_i. For each lin- 
ear combination © je / Sj define the random bit S c = c X, where c = 
J£J aj © a l and aj denotes the j th line of the matrix A. Note that S c 
is a random linear function over X. If S c is uniform and independent 
of Si, ... , Sj_i, then Si is uniform given this specific linear combination. 
However, the distance from uniform and independent of S c is given by 
Lemma [3.221 By the union bound over all 2 I_1 possible linear combina- 
tions of Si, . . . , Sj_i, we obtain the probability that Sj is uniform given 
Si,...,Si_i, i.e., 

d(Si\Z{W a -s), Q, Si, . . . , Si_i) < 2*- 1 • d(S c \Z(W n ^ s ), Q) . □ 



Now we can bound the distance from uniform of a key S := Si ... S s by 
Lemma [3T231 and [3T261 

Lemma 3.27. Assume S := A X, where A is a sx n-matrix over GF{2) and 
be Pa the uniform distribution over all these matrices. Q := (U = u, A). Then 



d(S\Z(W n - s ),Q)< | 



I -J +2 e 8 +2 e 64 vT«WlX^/ 



Proof. This follows from Lemmas 13.231 and 13.261 when using the expres- 
sion for geometric series, i.e., 

s 2 s — 1 

Vr 1 ^ < 2 s . □ 

^ 2-1 ~ 

i=i 



This expression is in 0(2 ™) whenever s = q-n for some (constant) q with 

2^ 1 (l + e) < 1. 
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3.5.4 Key distribution 

Now, we can put everything together in order to create a key-agreement 
scheme using the steps above. 

Definition 3.13. A key-distribution protocol is said to be e-secret against 
non-signalling adversaries if, on all inputs, d(SA\Z(W n - s ),Q) < e. It is 
said to be c ' -correct if, on all inputs, P^SU ^ Sb] < e', and it is said to be 
e" -secure if it is both secret and correct, i.e., <5(<S rca i, Sidcai) < e". 

Lemma 3.28. A key-distribution protocol which is e-secret and e' -correct, is 
(e + e')-secure. 

Proof. This follows directly from the triangle inequality (Lemma 12.51 

p.Eg. □ 

Protocol 3 (Key distribution secure against non-signalling adversaries). 

1. Alice and Bob obtain a system Pxy\uv 

2. They do parameter estimation using Protocol [1] 

3. Information reconciliation and privacy amplification: Alice chooses 
a matrix A e M( s+r ) X „ and calculates [Sa , R] — A(D x. 

4. Alice sends the matrix A and R to Bob and outputs Sa- 

5. Bob calculates y' with minimal dn(y, y') such that R = A r y' and 
outputs Sb = A s Qy'. 

Theorem 3.3. Protocol\3\is e-correct, e' '-secret with e, e' e O(2~ n )for s = q-n 
and r > n ■ h(S) and where q is such that 2 <? ~ r /"~ 1 (l + e) < 1. Additionally, 
Protocol\3\is ("-robust on with e" G 0(2""). 

Proof. This follows directly from Lemmas 13161 [3T201 and \327\ Note that 
in order to do information reconciliation, a key of length s + r has to be 
created. Robustness follows from Lemma 15. 181 □ 

The secret key rate is the length of the key a secure protocol can output, 
divided by the number of systems used, in the asymptotic limit of a large 
number of systems. 



3.6. The Protocol 
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Lemma 3.29. Protocol\5\reaches a key rate q of 



q=l-h(S)-log 2 (l+e). 



3.6 The Protocol 



In this section, we analyse a protocol with an implementation similar to 
the one given in [Eke91]. We compute its key rate in the presence of a 
non-signalling adversary. The protocol can be implemented using quan- 
tum mechanics, the security relies, however, only on the non-signalling 
condition. A slightly different protocol reaching a positive key rate in the 
quantum regime is given in [HRW10). 



Figure 3.10: Alice's and Bob's measurement bases in terms of polariza- 
tion. 

Protocol 4. 

1. Alice creates n singlet states |* _ ) = ( 1 01) — \10})/y/2, and sends one 
qubit of every state to Bob. 

2. Alice and Bob randomly measure the i th system in either the basis 
uq or u\ (for Alice) or vq, v-y or V2 (Bob); the five bases are shown in 
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Figure 13.101 Bob inverts his measurement result. They make sure 
that no signal can travel between the subsystems. 

3. The measurement results from the cases where both measured u = 
V2 form the raw key. 

4. For the remaining measurements, they announce the results over 
the public authenticated channel and estimate the parameters e and 
S (see Section l3.5.1b . If the parameters are such that key agreement 
is possible, they continue; otherwise they abort. 

5. Information reconciliation and privacy amplification: Alice 
randomly chooses an (m + s) x n-matrix A such that p(0) = p(l) = 
1/2 for all entries and m := \n ■ h{8)~\ . She calculates AQx (where x 
is Alice's raw key) and sends the first m bits to Bob over the public 
authenticated channel. The remaining bits form the key. 



Assume that Alice and Bob execute the above protocol using a noisy quan- 
tum channel. More precisely, their final state is a mixture of a singlet with 
weight 1 — p and a fully mixed state with weight p. The key rate as func- 
tion of the parameter p is given in Figure l3.11l 





1.0 -i 




0.8 - 






0) 


0.6 - 


(ti 




Sh 




>> 
01 


0.4 - 








0.2 - 








0.02 0.04 0.06 0.08 0.10 

P 

Figure 3.11: The key rate of Protocol |4] secure against a non-signalling 
adversary in terms of the channel noise. 



3.7. Concluding Remarks 
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3.7 Concluding Remarks 

We have shown that privacy amplification of non-signalling secrecy is 
possible, if a non-signalling condition holds between all subsystems. It 
follows from the results in Chapter|5]that some kind of additional require- 
ment is, in general, necessary. The question remains open whether it 
could be partially relaxed, for example such that signalling is only al- 
lowed in one direction (as it would be the case when the systems are 
measured one after the other). 

Another challenge is to find different non-local correlations, inequival- 
ent to the CHSH inequality or Braunstein-Caves inequality, which imply 
partial secrecy in this setup and can be used as building block for a key- 
distribution scheme. 



Chapter 4 



Device-Independent 
Security Against Quantum 
Adversaries 



4.1 Introduction 



The key-distribution scheme studied in Chapter [3] is secure against all 
non-signalling adversaries. Since it is not possible to signal by measuring 
different parts of an entangled quantum state, this holds, in particular, 
for an adversary limited by quantum physics. However, a non-signalling 
adversary is, in general, much stronger than a quantum adversary For 
example, she can even have significant knowledge about a system that 
violates the CHSH inequality (Section [2.6.1b by its maximum quantum 
value. As discussed in Section [L3l a quantum system reaching this value 
must be (equivalent to) a singlet state. A quantum adversary could, there- 
fore, not have any knowledge about the measurement outcome. For a key- 
agreement scheme, this means that tolerating a non-signalling adversary 
leads to an unnecessarily low key rate, or even the impossibility to agree 
on a key in a range allowed in the presence of quantum adversaries. 

In this chapter, we consider key agreement secure against quantum ad- 
versaries. It is already known that classical post-processing, in particular 
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privacy amplification [RK05J, works even if the adversary holds quantum 
information. The problem is to estimate the entropy, i.e., the uncertainty 
the adversary has about the raw key. 



Chapter outline We study the possible attacks by a quantum adversary 
and explain our setup in Section 14.21 We then study the security of a 
single quantum system and show how the probability that an eavesdrop- 
per can guess the measurement result (this quantity is equivalent to the 
min-entropy) can be expressed as the solution of a semi-definite program. 
We first give a version which depends on the exact state and measure- 
ments of the honest parties (Section l4.3.1b and then modify it to a device- 
independent version in Section 14.3.21 We also give a slightly different 
form which can be used to calculate the security of a bit (Sections 14.3.31 
and 14. 3.4| |. We then turn to several systems and show how the condi- 
tions they need to fulfil can be expressed in terms of the conditions of the 
individual systems (Section 14.4.1) 1 if measurements on different subsys- 
tems commute. This leads directly to a product theorem for the guess- 
ing probability (Section 14.4.2b (i.e., additivity of the min-entropy) and 
an XOR-Lemma for partially secure bits against quantum adversaries 
(Section This insight can be used to construct a key-distribution 

scheme. We first assume that the honest parties' systems behave inde- 
pendently (Section 14.5b and then remove this requirement in Section 14.61 
Finally, we give an explicit protocol in Section 1471 



Related work The question of device-independent quantum key distri- 
bution has been raised, and security in a noiseless scenario been shown 
by Mayers and Yao in IM Y981 . In [ MMMO06), this result has been ex- 
tended to allow for noise. In [ABG+07J, a protocol secure against col- 
lective attacks has been given. Under a plausible, but unproven conjec- 
ture, it remains secure against coherent attacks if the devices are memory- 
less [McKlOJ. All these results use the fact that for binary outcomes, the 
effective dimension of the Hilbert space can be reduced. 

The question of security against quantum adversaries is related to the 
question which correlations can be obtained from measurements on a 
quantum system [Tsi80. Weh06, Mas06J. In fact, our approach bases on 
such a criterion given in INFA071lDLTW08HNPAb8l . 



4.2. Modelling Quantum Adversaries 
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Contributions The main technical contribution of this chapter is Lem- 
ma 14.91 which shows that the conditions several quantum systems must 
fulfil can be expressed in terms of the conditions on the individual sub- 
systems. The resulting product lemma for the guessing probability of 
a quantum adversary is Theorem 14.31 and the XOR-Lemma for quantum 
secrecy is given in Theorem l4.4l 



4.2 Modelling Quantum Adversaries 
4.2.1 Possible attacks 

Consider the scenario where Alice, Bob, and Eve share a tripartite quan- 
tum state. They can each measure their part of the system and obtain 
a measurement outcome. We can, of course, also consider the state Alice 
and Bob share after Eve's part has been traced out, and this is also a quan- 
tum state. In accordance with the non-signalling principle, the marginal 
state Alice and Bob share is independent of what Eve does with her part 
of the state (in particular, from her measurement). We can even consider 
the state Alice and Bob share conditioned an a certain measurement out- 
come of Eve and this is, of course, still a quantum state. Finally, in case 
Alice and Bob share several systems (living in a tensor product Hilbert 
space and such that measurements are preformed on the individual sub- 
spaces), then even conditioned on the measurement outcomes of one sys- 
tem, the remaining systems are still quantum systems. 

We will consider the case where Alice and Bob share n bipartite quan- 
tum systems and ask the question whether they can agree on a secret 
key unknown to Eve by interacting with them. We make the following 
requirement. 

Condition 2. The system Pxy z\uvw must be a (2n + l)-party quantum 
system. 

In quantum cryptography, when Alice and Bob share a certain quantum 
state described by a density operator pAB, it is usually assumed that Eve 
controls the whole environment, i.e., the total quantum state between 
Alice, Bob, and Eve is pure. Any measurement on the purifying system 
corresponds to a partition of the form pab — J2 z P z Pab> where p z AB is 



106 



Security Against Quantum Adversaries 



the state conditioned on the measurement outcome z. Considering the 
resulting systems, each of these p z AB gives rise to a quantum system when 
measured, i.e., any measurement Eve does on her part of the quantum 
state induces a 'convex decomposition' of the quantum system Alice and 
Bob share into several quantum systems. This limits the possibilities an 
eavesdropper has to attack the systems. 

Lemma 4.1. Let Pxz\uw be an [n + \)-party quantum system. Then any 
input W induces a family of pairs {(p z ,P x ^ u )} z , wnere P z ' s a weight and 
P x \ v is an n-party quantum system, such that 

Px\u = Y,P Z - p hu- (4-1) 

z 

Proof. For any (n + l)-party quantum system Pxz\uv/i the marginal and 
conditional systems are ?i-party quantum systems (see Lemma [2. 61 p.lHSll. 
Equation J4.lt holds by the definition of the marginal system. □ 

4.2.2 Security definition 

The system we consider (see Figure 14.1b is the one where Alice and Bob 
share a public authenticated channel plus a quantum state (modelled ab- 
stractly as a device taking inputs and giving outputs). Alice and Bob 
apply a protocol (n, ir') to the inputs and outputs of their systems in or- 
der to obtain a key. Eve can wire-tap the public channel and choose a 
measurement on her part of the quantum state. It is no advantage for 
Eve to make several measurements instead of a single one, as the same 
information can be obtained by making a refined measurement on the ini- 
tial state. Without loss of generality, we can, therefore, assume that Eve 
makes a single measurement at the end (after all communication between 
Alice and Bob is finished). In our scenario, Eve, therefore, obtains all the 
communication exchanged over the public channel Q, can then choose 
a measurement W (which can depend on Q) and finally obtains an out- 
come Z. 

To show security, we need to bound the distance of this real system from 
an ideal system (see Section r2.3.2l l, where Alice and Bob both obtain the 
same random string uncorrelated with anything else. In order to bound 
the distance between our real system and the ideal system, we introduce 
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Figure 4.1: Our real system (top). Alice and Bob share a public authentic- 
ated channel and a quantum state. In our ideal system (bottom), instead 
of outputting the key generated by the protocol (tt,tt'), the system out- 
puts a uniform random string S to both Alice and Bob. We also use an 
intermediate system (middle) in our calculations. 
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an intermediate system 6>i„t, which is equal to our real system, but which 
outputs Sa on both sides (i.e., Sb is replaced by Sa)- 

We introduce the distance from uniform of the key from the eavesdrop- 
per's point of view 

Definition 4.1. Consider a system <5> rea i as depicted in Figure |4~T1 The 

distance from uniform of Sa given Z(W q ) and Q is 

Z * — ' itfiquantum-* — * 

SA,q z 

' | Ps A \Z=z,Q=q, W=w( s A) - Pu(sa)\ , 

where the maximization is over all quantum systems P X y z\uvw ■ 

The following statement is a direct consequence of the definitions of the 
systems in Figure fPl and the distinguishing advantage. 

Corollary 4.1. Consider the intermediate system <S; nt and the ideal system as 
depicted in Finire WA\ Then 

<S(Si„t,Sidcai) = d(S A \Z{W q ),Q) . 

This quantity will be the one that is relevant for the secrecy of the protocol. 

Furthermore, the correctness of the protocol, i.e., the probability that 
Alice's and Bob's key are equal, is determined by the distinguishing ad- 
vantage from the intermediate system to the real system, more precisely, 
the probability that the real system outputs different values on the two 
sides. This is again a direct consequence of the definitions. 

Corollary 4.2. Consider the intermediate system <S int and the real system <S rea i 
as defined above. Then 

5{S rea \,S mt ) = ^2 Ps a Sb( s a,s b ) ■ 

SA^ s B 

Finally, by the triangle inequality for the distinguishing advantage of sys- 
tems (see Lemma 12.51 p. [32), we obtain the following statement relating 
the security of our protocol to the secrecy and correctness. 
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Lemma 4.2. 

<5(<Sreali'-*ideal) — ^ (^real , «Sint ) + 8 (<5jnt i ^ideal) ■ 

Since a system with S(S iea x,Sidea\) < e is e-secure, we will be interested in 
bounding this quantity. 



4.3 Security of a Single System 

4.3.1 A bound on the guessing probability 

It will be our goal to show the security of a key-distribution protocol 
of the form as given in Figure 14.11 The crucial part hereby is to bound 
the min-entropy an adversary has about the (raw) key. However, the min- 
entropy is equivalent to the probability that an eavesdropper interacting 
with her part of the quantum state can correctly guess the value of Alice's 
raw key X (see Theorem 12.41 p.l50l. Once this probability is bounded, a 
secure key can be obtained using standard techniques, such as informa- 
tion reconciliation and privacy amplification, which are already known 
to work in the quantum case [RK05J, [Ren05J. 

We will, in the following, study the scenario where Eve can choose an 
input W, depending on some additional information Q, and then obtains 
an output Z (depending on W). She then has to try to guess a value 
f{X) of range J- . In the context of key distribution, / will be the identity 
function on the outputs on Alice's side. 

Definition 4.2. Consider a system 6> rea i as depicted in Figure 14.11 The 

guessing probability of f(X) given Z(W q ) and Q is 

P guess (/(X)|Z(Wg,Q)=^ max P ZQ \w= w (^ 9) 

q z 

■ maxP f [x)lz=z Q=qtW=w (f(x)) , 
/O) 

where the maximization is over all quantum systems Pxy z\uvw ■ The 
min-entropy of f(X) given Z(W q ) and Q is 

R min (f(X)\Z(W q ),Q) = - log 2 P gucss (f(X)\Z(W q ),Q) . 
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Theorem l2.41 p. [50] justifies this definition of the min-entropy. 

Lemma 14.11 gives a bound on the probability that a quantum adversary 
can guess Alice's outcome by the following maximization problem. (We 
assume that the inputs u are public, i.e., Q = (U = u,F = /)). 

Lemma 4.3. The value of P guess (f(X)\Z(W q ), Q), where Pxz\uw ' s an ( n + 
\)-party quantum system and Q = (U — u), is upper-bounded by the optimal 
value of the following optimization problem 







max : p z 




z=l 


x:f(x)=z 






S.t. P X \U 


2=1 


pz 

r x\u 


n-party quantum system, for all z 



Proof. The first condition follows by the definition of the marginal system 
and the second by the fact that for any (n + l)-party quantum system the 
conditional systems are n-party quantum systems (see Lemma [2. 61 p. 155). 
The objective function is the definition of the guessing probability. It is 
sufficient to consider the case \Z\ = {J 7 ] because any system where Z has 
larger range can be made into a system reaching the same guessing proba- 
bility by combining the system where the same value f(X) has maximal 
probability. By the convexity of quantum systems, this remains a quan- 
tum system. □ 



In [ NPA07], a criterion in terms of a semi-definite program is given, which 
any quantum system must fulfil. The idea is that if a system is quantum, 
then it is possible to associate a matrix T with it which needs to be positive 
semi-definite. 

Definition 4.3. A sequence of length k of a set of operators {E** : Xi e 
Xi,Ui £ Ui,i £ 1, . . . ,n) is a product of k operators of this set. The se- 
quence of length is defined as the identity operator. 

Definition 4.4. The matrix T is defined as 



r — 
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where 0, = E*™E^? ■ ■ ■ is a sequence of the measurement operators 
{E^}. The matrix r fe is defined in the same way as r, but restricting 
the operators to sequences of length at most k. 

In the above notation we consider the measurement operators as operat- 
ors on the whole Hilbert space T~L. These operators must fulfil the con- 
ditions of Definition 12.401 p.l54l (i.e., they must be Hermitian orthogonal 
projectors and sum up to the identity for each input). If we additionally re- 
quire them to commute, this is equivalent to a tensor-product structure by 
Theorem 12.51 p.l55l if we consider only finite dimensional Hilbert spaces. 
Note that the requirements the measurement operators fulfil translate to 
requirements on the entries of the matrix T. For example, certain entries 
must be equal to others or the sum of some must be equal to the sum of 
others. 

In order to decide whether a certain system is quantum, we can ask the 
question whether such a matrix T exists; because if it is, it must be pos- 
sible to associate a matrix with it, which is consistent with the probabil- 
ities describing the system and fulfil the above requirements. The prob- 
lem of finding a consistent matrix T is a semi-definite programming prob- 
lem. 

Theorem 4.1 (Navascues, Pironio, Acm [NPA07J). For every quantum sys- 
tem Px\u there exists a symmetric matrix T k with = (\I r |o|Oj| 1 5) and 

where Oi — E* m E*? ■ ■ ■ is a sequence of length k of the operators {E**}. Fur- 
thermore, 

A qh ■ T k = , and 

r k y o , 

where ^4 q b corresponds to the conditions 

• orthogonal projectors: (^OE^EtlO 1 ^) - {^OE^^O 1 ^) =0, 

• completeness: Y, Xi (^\OE^O'\^) - (*|00'|*) = for all u % , 

• commutativity: (^\OE^ % El]0'\^>) = (^OE^E^O']^) for i ^ j , 

where O and O' stand for arbitrary sequences from the set }. 
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Proof. Orthogonality, completeness, and Hermiticity follow directly from 
Definition EE) p. EH Let us see that the matrix is positive semi-definite. 
For all v€C m 

v T T k v = vfTijVi = v i (* i°j *) V 3 = (*| v ^ v |*> > 



where := J^. i>iOj. Finally, the matrix can be taken to be real, because 
for any complex T k , the matrix (r fc + T k *)/2 is real and fulfils the condi- 
tions. □ 



We do not require this matrix to be normalized. Note that the matrix 
r fc contains, in particular, the (potentially not normalized) probabilities 
Px\u( x i u ) associated with an n-party quantum system, for n < 2k. 

Definition 4.5 (Navascues, Pironio, Acfn HNPA07I ). Let Px\u be an n- 
party system. If there exists a positive semi-definite matrix T k such that 
A q bF fc = and with the entries of = Px\ui x i u ) where T k - is the entry 
associated with ]J i \ ^), then this T k is called quantum certificate 
of order k associated with the system Px\u- 

In IIDLTW081 INPA08I , it is shown that if a certificate of order k can be 
associated with a certain system Px\u f° r a ll ^ ^ 00 > then this system 
is indeed quantum. More precisely, it corresponds to a quantum system 
where operators associated with different parties commute, but do not 
necessarily have a tensor product structure. For any finite dimensional 
system, this is, of course, equivalent, as we have seen in Theorem 12.51 
p.E3 

The above criterion allows to replace the condition that P X y\uv ^ s a ci uan " 
turn system by the condition that a certain matrix is positive semi-definite 
and allows us to bound Eve's guessing probability by a semi-definite pro- 
gram. 

Lemma 4.4. The maximum guessing probability of f(X), given Z(W q ) and 
Q := (U = m, F — /), is upper-bounded frjQ 

P gucss (f(X)\Z(W q ), Q) < ]T b T z ■ T\ 

z=l 

1 In the following, we sometimes write matrices as vectors by writing the columns 'on top 
of each other'. When we write that a vector needs to be positive semi-definite, we mean that 
the matrix obtained by the inverse of this transformation must be positive semi-definite. 
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Figure 4.2: The matrix corresponding to the second order criteria 
of [NPA07| associated with a bipartite system. We denote the operators 
associated with the first party by E and with the second by F. If the 
system is quantum, the entry of the row associated with operator A and 
column associated with operator B corresponds to (\I f |A''.B|\f r ) / and the 
resulting matrix is positive semi-definite. The constraints are such that 
certain entries of the matrix are 0, or that the sum of certain entries are 
equal to the sum of other entries (for example, entries in areas hatched 
the same way are equal). 
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where Ylz=i ^ ' r z is the optimal value of the optimization problem 



max: T z (x,u) 

z=l x:f{x)—z 

s. t. A qh ■ T z = for all z 

T z y 



(4.2) 



~ 1 m; 



rotere T z (x,u) denotes the entry of the matrix T z corresponding to 
YliE^'.E^ty), i.e., it contains in particular the probabilities P^, u (x,u); 
b z is a matrix of the same size as T z and it has a 1 at the positions where V has 
the entry (ip\oJOi\ip), where 0{ = Y[ m such that f(x) = z. The mat- 
rix T m denotes the certificate of order k associated with the marginal system 



P 



x\u- 



Proof. This follows from Lemma 14.31 the fact that any quantum system 
P x \u has a quantum certificate of order k and J2 Z = 1- ^ 



The primal and dual program can be expressed as: 
PRIMAL 



max 



z=l 



(4.3) 



s.t. 



/ A 



qb 







\ 

A qb 

1 / 



( \ 



\ r fe / 

\ x marg / 



Ti t for all i 
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DUAL 

/ 

marg 



1 mn • r mar „ • (4-4) 



qb 



1 



s.t. 



V ••• A* t 





( A1 ^\ 


) 


Vl 




V Vi+i / 




Xi unrestricted 

Note that any dual feasible solution gives an upper bound on the guess- 
ing probability (linear) in terms of the matrix associated with the marginal 
system of Alice and Bob, r^ arg . Furthermore, the dual feasible region is 
independent of Alice's and Bob's marginal system, it only depends on the 
number of inputs and outputs and the step in the semi-definite hierarchy 
considered. 

However, the matrix r marg contains entries which do not correspond to 
observable probabilities and are only known if the state and measurement 
operators are known (i.e., in a not device-independent scenario). It will 
be the goal of the next section to express the guessing probability in terms 
of observable quantities. 



4.3.2 Guessing probability in terms of observable proba- 
bilities 

Certain entries of the matrix r^ arg do not correspond to observable prob- 
abilities, and it is, therefore, impossible to know their value by testing the 
system. In this section, we will modify the above optimization problem 
in such a way as to get a solution only in terms of observable probabil- 
ities. More precisely, we will modify the optimization problem to take 
the 'worst' possible quantum certificate consistent with observed prob- 
abilities. This leads to the following, modified, semi-definite program. 
The matrix Ajj is defined such that, multiplied with a quantum certific- 
ate, the observable probabilities are obtained, i.e., AijT k = Px\u (where 
Px\u denotes the vector containing the values Px\u( x > u ) for all x, u). 
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PRIMAL 



max : ■ T z 



(4.5) 



s.t. 



/ A 



qb 





1 

V o 



A qb 
1 





o \ 




-1 

Au J 



( Fl \ 



\ r fc / 

\ x marg / 



V Px\u I 



T« h 0, r marg unrestricted 



DUAL 

min : P X\U ■ Vl+2 



(4.6) 



s.t. 



qb 



• 
\ ••• 

A; unrestricted 



1 



1 
-1 AfjJ 



( ^ \ 



>- 



( 51 \ 

V o / 



Note that we have changed r^^g to be a variable (instead of a constant). 
Obviously r^ a >z holds because it is the sum of positive semi-definite 
matrices. However, it is easier when we do not make this restriction ex- 
plicit in the program. 

Lemma 4.5. Let Ai, . . . , A|jf| +2 be dual feasible for ( I4.6I >. Then Ai, . . . , 
are dual feasible for ( 14. 4P reaching the same objective value. 



Proof. We use the fact that AijT^ Tg = Px\u- Since Ai, . . . , A|jf| +2 are 
dual feasible for l|4.61 , it holds that Ajj\\jr\ +2 = Therefore, 



marg 



' A |^| + l — • Ajj ■ A|_7T| +2 — Px\U ' \r 



□ 
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Lemma 14.51 implies that any dual feasible solution of (|4.6|l gives an up- 
per bound on the guessing probability linear in terms of the observable 
probabilities. 

Furthermore, in terms of the min-entropy, it means that Eve's min-entro- 
py about Alice's value f(X), is at least R min (f(X)\Z(W q ),Q) > 
— log 2 Px\u\^\+2 f° r an y dual feasible A. 

Example 14. Consider a bipartite quantum system with binary inputs 
and outputs given by the mixture of the system in Figure IZ8l p.l56l with 
weight 1 — p and a perfectly random bit with weight p (this system can be 
achieved by measuring a mixture of a singlet and a fully mixed state using 
the measurements given in ExampleHJ p. l56|l . The guessing proba bilit y of 
the output bit X as function of the parameter p is given in Figure |4~3I 2 I 

1.0 -i 
0.9 - 

8 0.8 - 

$ 

3 

°h 0.7 - 
0.6 - 
0.5 

0.05 0.10 0.15 0.20 0.25 0.30 
P 

Figure 4.3: The bound on the guessing probability of the measurement 
outcomes of Example HU 

4.3.3 Best attack on a bit 

The above analysis can also be used to find the best attack in case the 
function / maps X to a bit. However, in this case, we can give a slightly 
different form to calculate the distance from uniform of a bit. This will 
allow us to show an XOR-Lemma for quantum secrecy in Section l4.4.3l 

2 The data plotted in Figure l43l has been obtained by so lving )4.5> numerically, using the 
programs MATLAB®, Yalmip and Sedumi lMAT08I IStu98llLof04l . 
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Lemma 4.6. The distance from uniform of B = f{X) e {0, 1} given Z(W q ) 
and Q := (U = u, F = f) is upper-bounded by 

d(B\Z(W q ),Q) = ^b T -r* A , 

where b T T* A is the optimal value of the optimization problem 

max: ^ T A (x,u) - ^ T A (x,u) (4.7) 

x:B=0 x:B = l 

S.t. A qh T A = 



-.k 

Dli 



A — ^ marg 



marg ' 

where r marg is the matrix associated with the marginal system P X \u- 
Proof. Define 

v A = 2p ■ r z ° — r marg , 

and note that with this definition T z ° = (T marg + T A )/(2p) and T Zl 

(r m arg -r A )/(2(l-p)). 

The distance from uniform of a bit can be expressed as 



d(B\Z(W q ),Q) = ± 



x:B=0 x:B=l 

+ (i-p)-(E rzi (^«)- E r* 1 (*,«)) 

x:B = l x:B=0 

1 



= ; • b T ■ r 



2 



A > 



Now notice that r z ° and T Zl are actually quantum certificates of order k 
if T A fulfils the above requirements. The conditions the matrix T needs to 
fulfil are all linear and, therefore, because r marg fulfils them, T z ° and T Zl 
fulfil them exactly if T A does. The semi-definite constraints correspond 
exactly to the requirement that T z ° and T z ° are positive semi-definite, us- 
ing the fact that the space of positive semi-definite matrices forms a con- 
vex cone. □ 
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The above semi-definite program can be expressed in the following form: 



PRIMAL 

max : b T ■ T A (4.8) 




Ai, A2 h 0, A 3 unrestricted 



4.3.4 Best attack on a bit in terms of observable probabil- 
ities 



Any dual solution of j4.9|l leads to a bound on the distance from uniform 
of the bit B in terms of the matrix elements r^ larg . We will now change 
our primal program to one where we optimize over all rjj iarg compatible 
with the observable probabilities. The dual of this program has a solution 
only in terms these probabilities. We then show how we can transform 
any dual feasible solution of this program into a dual feasible solution of 
the program above reaching the same value. 
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The new program we consider is the following: 

PRIMAL 
max : b T 
( 



s.t. 



r A 

i 
-i 
A qb 
o 
o 



A; 1 marg 



-i \ 
-i 
o 

Au 

^qb ) 

unrestricted 



r A 

•k 



-< 



P 



X\U 



(4.10) 



DUAL 



min : P X \u ' A4 



s.t. 



1 

-1 -1 



1 4b 





A u A qb 



A 2 
A 3 
A 4 
V A 5 / 



(4.11) 



Ai, A2 y 0, A3, A4, A 5 unrestricted 



where the matrix Ajj is such that AjjT marg = Px\u- We claim that any 
dual feasible solution of l|4.11|l can be transformed into a dual feasible 
solution of H4.9b reaching the same value. The solution of l|4.11b , therefore, 
gives a bound on the distance from uniform only in terms of the observ- 
able probabilities. 



Lemma 4.7. Let Ai, A 2 , A3, A 4 , A5 be a dual feasible solution of ( 14. Hi . Then 
Ai, A2, A3 is a dual feasible solutions of i4.9t reaching the same objective value. 



Proof. The condition that Ai,A2,A3 is feasible for d4.9b follows directly 
from the (upper row) feasibility condition of l|4.11|l . To see that it reaches 
the same value, we use that fact that r^ larg is a quantum certificate, i.e., 



Aah ' L„ 



= 



1 qb - marg 

and the (lower row) condition of l|4.11|l . i.e., 



-Ai - A 2 + Ajj ■ A 4 + A 



qb 
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We then obtain 

marg 

~*T ( \ \- i AT \ , aT 



r fc marg ■ (Ai + a 2 ) — r fe m • (Ai + a 2 ) 



+ r marg ' (~Al - A 2 + j • A 4 + A qb • A 5 ) 

= r fe marg • (Aj j ■ A 4 + A qh • A 5 ) 
= {Au ■ r fc marg ) T • A4 

= Px\U • A 4 • □ 



4.4 Several Systems 

4.4.1 Conditions on several quantum systems 

In this section, we will show our main technical result, namely that the 
conditions in the above semi-definite program behave in a product form 
if the measurements on different subsystems commute. Roughly, we will 
show the following: Consider a system Pxy\uv associated with a single 
pair of systems and the matrix T k associated with the k th step of the hier- 
archy, fulfilling A qh T k = 0. Then, with two pairs of systems, it is possible 
to associate a matrix r' fe living in the tensor product space of two T k . Fur- 
thermore, this matrix must fulfil (1 ® A qh )T /k = 0. 

Definition 4.6. Assume an (n + m)-party quantum system. The reduced 
quantum certificate of order k is the matrix T' k l+m , defined as 



(-T n+m)ij — 



o\p\o n o n 



where i = — 1) + ii and j = - 1) + j 2 and I is the number of 
rows of a quantum certificate of order k for the n-party quantum system. 
O ll is the operator associated with the i th row of the quantum certificate 
of order k of the marginal n-party system (and similar for O l2 and the 
m-party system). 

Lemma 4.8. The matrix T'* +m is positive semi-definite, i.e., T' k n+m > . 

Proof. This follows directly form the fact that T' k n+m is a sub-matrix of 
the (2fc) th order quantum certificate associated with the (n + m)-party 
quantum system. □ 
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The main insight, which will lead directly to the product theorems, is the 
following lemma. 

Lemma 4.9. Let Px 1 \u 1 be an n-party and Px 2 \u 2 an m-party quantum sys- 
tem. Call the associated certificates of order k and T§ and write the linear 
conditions they fulfil as Aq^iTf = and Ajb^T^ = 0. Then the reduced quan- 
tum certificate of order k associated with the (n + m)-party quantum system, 
fulfils 

(A <lhil ®t r 0-T' k n+m =O and (l r} ® A qh , 2 ) ■ r', fe l+m = . 

This can be interpreted in the following way: Even conditioned on any 
specific outcome (i.e., matrix entry) of the second system, the first system 
must still be a quantum system. 

Proof. The matrix Aib,i contains entries of the form 

mo tl o n \^)-mo,p 3[ i*)=o 

which all operators associated with an n-party quantum system must ful- 
fil, because Oj 1 — Of = 0. By the definition of T' n+m , the condi- 
tions (^4 q b,i ® lr*)r'n+m correspond to 

mo tl o l2 o n o 31 |*) - (*| o l{ o l2 o J2 o fi |*> 

= (*| o tl o n o l2 o J2 1*) - <*| o v p 3 p l2 o n |*> 
= <*| {O n O n - o v p yi )o l2 o n I*) = o . 

where we have used the fact that operators associated with different par- 
ties commute, linearity, and the fact that the operators associated with an 
(n + m) -party quantum system must still fulfil the conditions associated 
with a single system (as given in Definition l2.401 p.l54l. □ 



4.4.2 A product lemma for the guessing probability 

Using the above property, we can show a product lemma for the guessing 
probability. 
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Lemma 4.10. Let A\, b\, and c\ be the parameters associated with the semi- 
definite program (14. 3P bounding the guessing probability of f{Xx) of an n-party 
quantum system Pxau-l> where Qi = (Ui = ui,F = /). Similarly, associate 
A 2 , b 2 , and c 2 with an m-party quantum system Px 2 \u 2 ' where g(X 2 ) and 
Q 2 = {U 2 = u 2 ,G = g). Then the guessing probability of f{X\) || g(X 2 ) 
(denoting the concatenation) of the (n + m)-party system PxiX 2 \UiU 2 where 
Q = (U = m, F = f,G = g) is bounded by the semi-definite program defined 
by A, b, and c, where b — bi <g) b 2 , A = A\ ® A 2 . 

Proof. This follows form the fact that any (n + m)-party quantum system 
must fulfil Lemma 14.91 and that bi <g bj has a 1 exactly at the entry associ- 
ated with (ip\o\ol0 2 Oi where 0\ is the operator associated with the 
probability of the outcome X\ mapped to a certain f(xi), and similarly 
for 2 and g(x 2 ). □ 

Consider now the dual of this 'tensor product' problem. We will use a 
product theorem from [MS07J (see also [LM08]) to show that for any dual 
feasible A (for a single system), A ® • • • ® A is dual feasible for the dual 
of the tensor product problem, therefore, forming an upper bound on the 
guessing probability. 

Theorem 4.2 (Mittal, Szegedy |MS07|). Consider a semi-definite program 
min : cj Ai, s.t. Aj Ai — b\ > and a feasible Ai, and similarly for A 2 , 
b 2 , c 2 , and X 2 . Assume b\ > and b 2 > 0. Then \ — \i®\ 2 is feasible for the 
semi-definite program min : (a (g) c 2 ) T \, s. t. {A\ ® A 2 ) T \ — (bi ® b 2 ) > 

Proof. We use the fact that for a A such that A T \ — b y 0, where b >z 0, it 
holds that A T \ — b+2b = A T X + b >z 0, because we consider a convex cone. 
The tensor product of two positive semi-definite matrices is positive semi- 
definite. We obtain 

(AjXi — bi)<2> (A2X2 + bi) 

= A\ Ai ® Alf,\ 2 - b x ® Al"\ 2 + Aj Ai <g b 2 - b x <g b 2 h 
(Aj Ai + h) ® {Al\ 2 - b 2 ) 

= Aj Ai ® Al"\ 2 + h ® A^A 2 - Ai ® 6 2 - 61 ® 6 2 >r . 

Adding the two inequalities and dividing by two, implies that 

A\ Ai <g A\\ 2 - h <g b 2 = (Aj <g A$)(\i (g A 2 ) - 61 (g> 6 2 ^ , 
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which means that Ai <E> X 2 is feasible for the product problem. □ 

Lemma 4.11. Let Ai be a dual feasible solution of (14, 4P defined by A\, b\, and 
ci (see Lemma \4~T0i , and similarly for X 2 and A%, b 2 , and c 2 . Then A = Ai ® A2 
zs dual feasible for the program A, b, c where A — A\ ® A 2 and b = b\®b 2 . 

Proof. Note that bi is of the form 

/ ••• \ 
1 

\o ... o) 

i.e., it has a 1 in the place where the matrix V has the entry {fk\E^E^ |\&) 
for f(x) = i and everywhere else. It, therefore, only has positive entries 
on the diagonal and everywhere else. Clearly, bi >z 0. The claim then 
follows by Theorem l4.2l □ 

We can now formulate the product lemma for the guessing probability. 

Theorem 4.3 (Product lemma for the guessing probability). Let Px^Ui 
be an n-party quantum system and f(X±) a function f:X\ — > J- such that 
P g n C Uf(Xi)\Z(W^Q) < P£ l{Ul M, where Q = (U x = u u F = /). Sim- 
ilarly, associate the guessing probability P gucss (g(X 2 )\Z (W q , Q) < Px 2 \u 2 ^ 2 
with an m-party quantum system Px 2 \u 2 where Q = (U 2 = u 2 ,G = g). 
Then the guessing probability of f(Xi)\\g(X 2 ) obtained from the (n + m)-party 
quantum system Px 1 x 2 \u 1 u 2 with Q = (U = u,F = f,G = g) is bounded 
by 

P guesB (/(X 1 )|| 5 (X 2 )|Z(W q ),Q) < P Xl x 2 \u lU2 ■ (A X ® A 2 ) . 

Proof. This is a direct consequence of Lemma |4~TT1 □ 

When the marginal system is of the form Px^Ui ® Px 2 \u 2 ' tri is implies 
that the guessing probability is the product of the guessing probabilities 
of the two subsystems. Or, in terms of the min-entropy, that it is additive. 
More precisely, the min-entropy of n identical systems ®" = i Pxi\u f is n 
times the min-entropy of the individual system. 
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4.4.3 An XOR-Lemma for quantum secrecy 

Let us also consider the case where we obtain a partially secure bit from 
each of the subsystems. We will show that the XOR of the two partially 
secure bits is highly secure. 

Lemma 4.12. Let At, b\, and c\ be the parameters associated with the semi- 
definite program (14.81 ) bounding the distance from uniform of a bit f(Xi) e 
{0, 1} obtained from an n-party quantum system Px x \Ui where Q = (U\ = 
U\,F = /). Similarly, associate A 2 , b 2 , and c 2 with the distance from uniform 
of a bit g{X 2 ) e {0,1} obtained from an m-party quantum system Px 2 \u 2 - 
Then then the distance from uniform of the bit f(X\) © g(X 2 ) obtained from 
the (n + m)-party system Px 1 x 2 \u 1 u 2 , where Q = (U = u,F = f,G = g) is 
bounded by the semi-definite program defined by A, b, and c with A = A\ <g> A 2 
and b = b\ ® b 2 . 



Proof. This follows form the fact that any (n + m)-party quantum system 
must fulfil Lemma 14.91 and b describing the XOR of two bits can be de- 
scribed as the tensor product of the ones associated with each of the two 
bits. □ 

This implies that for any dual feasible solution, the tensor product is dual 
feasible for the tensor product problem. 

Lemma 4.13. Let Ai be a dual feasible for J4.9P with A\, b\, and c\ associated 
with an n-party quantum system and \ 2 dual feasible for an m-party quantum 
system described by A 2 , b 2 , and c 2 . Then A = Ai <g> A2 is dual feasible for the 
program A, b, and c where A = A\ <g> A 2 and b = b\® b 2 . 

Proof. Ai ® A2 fulfils the dual constraints because 

[Ax <E> A 2 ](Ai (g) A 2 ) = bi b 2 . 

Furthermore, the tensor product of two positive semi-definite matrices is 
again positive semi-definite. □ 



We can now formulate the XOR-Lemma for quantum secrecy. 
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Theorem 4.4 (XOR-Lemma for quantum secrecy). Let Px 1 \Ui be an n-party 
quantum system and f{X{) a bit such that d(f(Xi)\Z(W q ), Q) < 
Px 1 \ Ul ^i/2 w ith Q = (Ui = ui,F = /). Similarly, associate 
d(g(X2)\Z(W q ), Q) < Px \u 2 ^ 2 ^ a bit from an m-party quantum sys- 
tem Px 2 \u 2 where Q = (U2 = u 2 , G — g). Then the distance from uniform of 
f{Xi) © g(X 2 ) obtained from the (n + m)-party quantum system Px 1 x 2 \u 1 u 2 
with Q = (U = u, F = f , G = g) is bounded by 

d{f{Xx) 8 g(X 2 )\Z(W q ), Q)<\- Px lX2lUl u 2 ■ ( A i ® A 2 ) . 
Proof. This follows directly from Lemma l4.13l □ 



4.5 Key Distribution from Product Systems 

We can now relate the above technical lemmas to the security of quantum 
key distribution. In a first step, we will show the security of key distribu- 
tion if the marginal distribution as seen by Alice and Bob is the product 
of several (identical) independent systems. In the next section, we will 
remove the condition of independence, since knowing that we are in per- 
mutation invariant scenario, we will be able to relate the security of an 
arbitrary distribution to the security of independent distributions. 

In the quantum case, most steps on the way to a secure key are already 
known. The crucial step is to bound Eve's guessing probability about 
the raw key, which directly relates to Eve's min-entropy. Once the min- 
entropy is bounded, Alice and Bob can do information reconciliation and 
privacy amplification to obtain a secure key. 

The key-distribution protocol proceeds in three steps: 

• Parameter estimation: Alice and Bob obtain a distribution Pxy\uv 
In order to be able to bound Eve's knowledge about the raw key, 
they need to estimate the probability distribution Pxy\uv of the in- 
dividual systems. 

• Information reconciliation: Alice sends some information about her 
raw key to Bob, such that he can correct his errors. 
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• Privacy amplification: Alice and Bob apply a public hash function 
to their raw keys in order to create a highly secure key. 

For a more detailed explanation of these steps, we refer to Chapter [3] 
4.5.1 Parameter estimation 

A parameter estimation protocol should e-securely filter 'bad' input sys- 
tems and should be e'-robust on some 'good' input systems (see 
Section l3.5.1t . 

In order to estimate the quality of their systems, Alice and Bob fix as para- 
meters the probabilities k and p and values P guC ss and S. 

Protocol 5 (Parameter estimation). 

1. Alice and Bob receive a system Pxy\uv = Pxy\uv 

2. Alice chooses U such that for each i with probability 1 — k, it holds 
that Ui = Uk, where where u k is the input from which a raw key bit 
can be generated, and with probability k she chooses one of the \U \ 
inputs uniformly at random. 

3. Bob chooses V such that Vi — v k with probability 1 — k and with 
probability k, Vi is chosen uniformly at random. 

4. They input u and v into the system and obtain the outputs x and y. 

5. They exchange the inputs over the public authenticated channel. 

6. If less than (1 — k) 2 pn inputs were (Ui, Vi) = (v,/., Ufe), they abort. 

7. Let t be the number of inputs where both did not chose nor . 
If any combination (u, v) occurred less than k 2 pn/\U\\V\ times they 
abort. 

8. From the inputs where they both chose a uniform input they es- 
timate the distribution by Pxyuv( x ' Vi u ' v ) = K*I( :E «> f»i Wi ' Vi ) = 
(x,y,u,v)}\/t. Define V as the set of all Pxyuv such that 
|W||V|Pj yt/ yA < Pg UCSS for some dual feasible A (see 114.4b ) and 
P(X ± Y\U = u k ,V = v k ) < 5. UdiP&wPxYUv) > V the Y 
abort, otherwise, they accept. 



128 



Security Against Quantum Adversaries 



Definition 4.7. Let "P be a set of distributions Pxyuv- The set of systems 
V v are all distributions which have distance at least r\ with the set V , i.e., 

V = {PxYuv\d{PxYuv,P%YUv) > V all P£ rc/V G P} 

Definition 4.8. Let P be a set of distributions -Pxyc/v- The set of systems 
V^^ are all distributions which have distance at least rj with the comple- 
ment of the set V , i.e., 

V-'i = {PxYuv\d(PxYuv,P%Yuv) > V for all 

Pxyuv 

We further define the set of conditional systems which are 77-far or ry-close 
to a certain set by the closeness of the distributions which can be obtained 
from them by choosing the input distribution to be uniform. 

Definition 4.9. Let V CO nd be a set of systems Pxy\uv ^ or an y system 
Pxy\uvi consider the distribution Pxyuv = -Pxy|c/y/|^||V|. Then a 
system P XY \uv is in V^ ond if Pxyuv G V' n and P XY \uv is in V m v nd if 
Pxyuv G P"". 

The reason to take exactly this definition of V^! ond is that it is useful to 
estimate P X y\uv^' where P XY \uv * s tne vector °f a U probabilities in the 
conditional distribution and A is some vector. This is in fact exactly the 
form of the bound on the guessing probability. 

Lemma 4.14. Let V = P X y\uv- For all P XY]UV $ V% ond , it holds that 
P XY \uv T ■ A - p xy\uv ■ A < Pxy\uv T ■ A + |W||V| • rj- (J2 \Xi\) . 

i 

Proof. 

( p xy\uv T ~ p xy\uv) ■ A = \U\\V\ ■ P XYUV T X - \U\\V\ ■ Pxyuv T ■ A 

= |W||V| • (P XY uv T - Pxyuv T ) • A 
^iWUVl^.^lAil) . □ 

i 

We will need the Sampling Lemma (Lemma 12.31 p. l28t to show that our 
protocol is secure, i.e., it e-securely filters input states with P gucss > 
-Pgucss + |W||V|»7X)i I Ail f° r trie individual systems. 
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Lemma 4.15. Protocol\5\e-securely filters ("P^ d ) with 

e=\X\\y\\U\\V\-e~(^^) , 
where t' = k 2 pn/\U\\V\. 

Proof. If for each of the conditional distributions Pxy\u=u,v=v the estim- 
ate is within r\, this also holds for the total distribution Pxyuv- By Lem- 
ma [23[ p-UHl the probability that for any conditional distribution the es- 
timate is ?7-far is at most |A , ||^| e -*' J ' 2 781*11^ where t' = k 2 pn/\U\\V\. We 
obtain the statement by the union bound over all inputs. □ 

Note that e e 0(2~ n ) for any constant < k,p < 1 and 77 > 0. 
Lemma 4.16. Protocol\l\is e' '-robust on (jy-v^ n with 

e' = \X\\y\\U\\V\ ■ e~(*^ST) 

+ e -2n(d- P )(i-fc) 2 ) 2 + | W || V | . e ~ 2n ( i wwr) i 

where t' — k 2 pn/\U\\V\. 

Proof. This follows by the same argument as Lemma l4,15l and a Chernoff 
bound (see Lemma [2. 11 p. [27b on the probability that the protocol aborts 
because any of the inputs did not occur sufficiently often. □ 

It holds that e' e 0{2~ n ) for any constant < k,p < 1 and 77 > 0. 

Lemma 4.17. The protocol (.-securely filters systems with P gVLCS s > -P gU css + ff 
for the individual system, where rj — \U\\V\r)J2i M- 

Proof. This is a direct consequence of Lemma 14.151 and Lemma 14.141 and 
the fact that the guessing probability is given by Pxy\uv^' see ^-411 . □ 

Lemma [4.171 also implies that the protocol filters systems with small min- 
entropy, i.e., H roin (.X'|Z(W q )) < - log 2 P guoss . 
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Lemma 4.18. The protocol e-securely filters systems with 5 > S + rf for the 
individual systems, where rj = |W||V|?/X)i M- 

Proof. This follows from the definition of V^ nd . □ 
4.5.2 Information reconciliation 

Having estimated the probability of error 5 of their key bits in the pre- 
vious section, Alice and Bob can do information reconciliation by ap- 
plying a two-universal hash functional with output length m bits, where 
m = n ■ h(5) + k' and they can almost surely correct their errors, i.e., the 
keys will be equal except with exponentially small probability. 

Protocol 6 (Information reconciliation). 

1. Alice obtains x and Bob y distributed according to -Pjfy with X = 
y = {0, 1}. Alice outputs x' = x. 

1. Alice chooses a function / e T: {0, 1}™ — > {0, l}™ 1 at random, where 
J 7 is a two-universal set of functions. 

3. She sends the function / and the value f(x) to Bob. 

4. Bob chooses y' such that dn(y, y') is minimal among all strings z 
with f(z) = f(x) (if there are two possibilities, he chooses one at 
random) and outputs y 1 . 

The following theorem by Brassard and Salvail states that information 
reconciliation can be achieved this way. We state the theorem with a 
slightly stronger bound on the error probability than the one originally 
given in |BS93). 

3 Information reconciliation using a two-universal hash function has the disadvantage 
that the decoding procedure (i.e., for Bob to find y') cannot be done in a computationally 
efficient way, in general. It is possible to use a code for information reconciliation instead, 
and there exist codes which can be efficiently decoded ]Hol06|. However, in our setup the 
theoretical efficiency of the decoding procedure is actually not important, since there exist 
codes with very good decoding properties in practice and Alice and Bob can test whether 
they have correctly decoded using a short hash value of their strings. In case decoding does 
not succeed, they can repeat the protocol, resulting in some loss of robustness. 
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Theorem 4.5 (Information reconciliation [BS93]). Let x be an n-bit string 
and y another n-bit string obtained by sending x over a binary symmetric chan- 
nel with error parameter 8. Assume the function /: {0,1}" — » {0, l} m is 
chosen at random amongst a two-universal set of functions. Choose y' such 
that dn(y, y 1 ) is minimal among all strings r with f(r) = f(x). Then 

Pr[x ^ y'] < e~ 2K2 - n + 2"' /l ( <5 + K )-" 1 , 

where h(p) = —p ■ log 2 p — (1 — p) log 2 (l — p) is the binary entropy function. 

Proof, x ^ y' either if da(x 7 y) is large or if f(x) = f(y r ). The probability 
that the strings x and y differ at more than n(S + k) positions is bounded 
by 

Pr[d H (x, y)]>n-(S + k)] < e~ 2K2 - n . 

The probability that ay' ^ x with small d^(x, y') is mapped to the same 
value by / is 

Pr[f(x) = f(y'), d H (x, y 1 ) < n(5 + k)] < 2~ m ■ £ 

i=0 

^ 2 — m^n -h(5+K) 

The theorem follows by the union bound. □ 

Lemma 4.19. The protocol is e-correct on input P®y suc ^ P(X Y) < $ 
where, for any k > 0, 

^ ^ — 2n 2 -n _|_ 2 n '^(^+ K ) — m 

and it is 0-robust on all inputs. 

Proof. Correctness follows directly from Theorem l4.5l Robustness follows 
from the fact that there always exists a y' such that f(y') = f(x). □ 

For any k > and m > n ■ h(S + k), this value is £ 0(2~"). 

When some information about the raw key is released — such as, for 
example, when Alice and Bob do information reconciliation — the min- 
entropy can at most be reduced by the number of bits communicated, 
see [ Ren05J. 
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Theorem 4.6 (Chain rule [Ren05J). Let pxec be classical on C. Then 

H min (X\E, C) p > H min (X\E) p - tf max (C) > H min (X\E) p - m , 
where m = log 2 \C\ is the number of bits ofC. 

4.5.3 Privacy amplification 

It is possible to create a highly secure key from a partially secure string 
by applying a two-universal hash function. The distance from uniform of 
the final key string is given by the following theorem. 

Theorem 4.7 (Privacy amplification [RK05, Ren05j). Let pxe be classical 
on Tix and let T be a family of two-universal hash functions from \X\ to {0, 1} S . 
Then 

d{p F( x)EF\EF) < V^px^- 2-^ H "^ PXE ^ -s)< 2 -^™(P^I B )- s ) . 

4.5.4 Key distribution on product inputs 

We can now put everything together to obtain a key-distribution scheme. 
As discussed in Section l3.5.41 a key-distribution protocol should be secure. 
This means that it should output the same key to Alice and Bob (correct- 
ness) and that Eve should not know anything about the key (secrecy) (the 
exact definitions are given in Definition l3.131 p.l98t. Furthermore, the pro- 
tocol should output a key when the adversary is passive, i.e., it should be 
robust. 

Protocol 7 (Key distribution). 

1. Alice and Bob receive Pxy\uv 

2. They apply parameter estimation using Protocol 

3. They do information reconciliation using Protocol^ 

4. Privacy amplification: Alice chooses a function / : {0, 1}™ — > {0, 1} S 
G J- from a two-universal set and sends / to Bob. Alice outputs 
/(x)andBob/(y'). 
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Lemma 4.20. The protocol is e-secret with e e 0(2 ™) and e' '-correct with 
e' € 0(2~ n )for m > n-h(5) and s — q-n < log 2 P &ncss — m/n. It is e" -robust 
on (v-n)® n W uh e " € 0(2-™). 

Proof. This is a direct consequence of the fact that each step in the protocol 
is secure (Lemmas 14.151 and 14.191 and Theorem \4.7} . taking into account 
Theorem 14.61 Robustness follows from the robustness of the parameter- 
estimation protocol, Lemma [4. 161 □ 

The secret key rate is the length of the key S that the protocol can output 
and still remain secure. We obtain the following. 

Lemma 4.21. The scheme reaches a key rate q of 

q = - log 2 -Pg U c SS - h(5) . 
Lemma 4.22. The scheme reaches a positive key rate q whenever 

- log 2 P gucss - h(S) > . 



4.6 Removing the Requirement of Independence 

We have seen that Alice and Bob can do key agreement (i.e., they either 
agree on a secret key or abort) if they share i.i.d. distributions. We now 
want to remove the requirement of independence. 

4.6.1 A special case: the CHSH inequality 

First, we consider a special case: the one where Alice and Bob have two 
inputs and two outputs. In this case, Alice and Bob can apply a (classical) 
map to their inputs and outputs such that the distribution they share af- 
terwards actually is i.i.d., more precisely a convex combination of i.i.d. 
distributions. The systems obtained this way, furthermore still violate the 
CHSH inequality by the same amountQ 

4 A similar map also exists for the generalization of the CHSH inequality, the Braunstein- 
Caves inequalities. 
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Assume Alice and Bob share an arbitrary distribution Pxy\uv where 
X, Y, U, V is an n-bit string. They can perform a sequence of local oper- 
ations and public communication in order to obtain a system which cor- 
responds to the convex combination of n independent unbiased PR boxes 
with error e, i.e., systems, such that Yr[X © Y = u ■ v] — 1 — e for all u, v 
and where X and Y are random bits (see Figure \5A\ p. 1144)1 . 

The local operations achieving this, are given in 1MAG06IIMRW+09I . We 
restate them here briefly: For each system i, Alice and Bob choose the 
local map independently in two steps. First, with probability 1/2, they 
do either of the following: 

1. nothing 

2. both flip their outcome bits, i.e., Xi —> x t © 1 and yi — > yi © 1 . 
Then, with probability 1 /4 each, they do either of the following: 

1. nothing 

2. Xi — ¥ Xi © Ui and Vi — > v% © 1 

3. Ui -¥ Ui © 1 and yi yi® Vi 

4. Ui Ui © 1, Xi-tXi®Ui®l,Vi-tVi®l and y 4 yt®Vi . 

The choice of local operation needs 3 random bits per system which have 
to be communicated from Alice to Bob. Since, each of these operations 
conserves the 'probability of error' £j, a system with the same error para- 
meter — but now an unbiased one with the same error for all inputs — is 
obtained. When this transformation is applied to each input/ output bit 
of a distribution Pxy\uv taking n bits input and giving n bits output, a 
convex combination of products of such systems is obtained. 

When using systems based on the CHSH or Braunstein-Caves inequalities 
for a key-distribution scheme, we can, therefore, obtain any system as 
input, apply the above transformation and, hereby, enforce the situation 
in which we already know that the key-distrubtions scheme is secure (as 
seen in Section |4~5|| . 
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4.6.2 The general case 

In general, we do not know of a map, such as the one given in Section l4.6.1l 
to transform arbitrary systems into product systems. Nevertheless, we 
will be able to relate the security of the key-distribution scheme on any in- 
put to the security of the scheme on product inputs Pxy\uv = Pxy\uv 
for which we have already seen that it is secure, in Section l4~5l The reason 
is that we know that security is 'permutation invariant' under the systems 
because each step of the protocol — parameter estimation, information re- 
conciliation and privacy amplification — is permutation invariant The 
post-selection theorem allows us to relate security of permutation invari- 
ant states to the security of product states. 

The post-selection theorem states that any permutation-invariant state 
can be obtained from the convex combination of i.i.d. (product) states by 
a measurement, and furthermore this measurement 'works' sufficiently 
often. Therefore, if our key-distribution scheme is secure for product dis- 
tributions, it is still 'almost as secure' on a permutation invariant one. 

Technically, the post-selection technique [CKR09J gives a bound on the 
diamond norm between two completely positive trace-preserving maps (i.e., 
quantum channels) acting symmetrically on an n-party system. The dia- 
mond norm is directly related to the maximal probability of guessing 
whether one or the other map has been applied (on an input of choice), 
through the formula p = 1/2 + (1/4)||£ — J-\\ (i.e., the distinguishing 
advantage is then (1/4)||£ — J~\\o-) Therefore, it is especially useful in the 
context of cryptography, where a real map is compared to an ideal map 
— such as one that creates a key that is secure by construction. While 
the diamond norm is defined as a maximization over all possible input 
states, the post-selection technique states that in the case of permutation 
invariant maps it is enough to consider them acting on a de Finetti state, 
i.e., a convex combination of product states T« n = J aff 1 p,(a-u), where jU 
is the measure induced by the Hilbert-Schmidt metric. We now restate 
the main result of ICKR09I . 

Theorem 4.8 (Post-selection [CKR09J). Consider a linear map from 
End(H® n ) to End(-H')@ If for any permutation ir there exists a completely 

5 Otherwise permutation-invariance can be enforced by applying a random permutation 
on the systems at the start of the protocol. 

6 Note that, in particular, A can be the difference between two completely positive trace- 
preserving maps £ and T . 
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positive trace-preserving map JC n such that A o n = /C w o A, then 

||A||o <fln,d||(A®l W )7^» W ||i , 

zf/zere 1 K denotes the identity map on End(7\L) and the factor g n ^ d = ( 
< (n + l) d2_1 , w/zere d — diniH. 



For our purposes, this means roughly 

Pr[£ (a 7 *) = insecure] < (n + l)^ 2 " 1 ) J Pr[£(cr® n ) = insecure] dcr , 

where a 71 is a permutation invariant input, and £ denotes the event that 
the scheme is insecure. The very right-hand side is what we have ana- 
lysed in the previous section, and because this is exponentially small, 
it remains exponentially small even when multiplied by the polynomial 
factor in front of it. 

In our case, a represents the system Pxyiuv- We/ therefore, need to model 
Pxy\uv D y a quantum state (note that this is only a mathematical tool 
and does not have any physical meaning). More precisely, we represent 
the distribution Pxyuv by a. Since our parameter estimation protocol is 
such that it filters the conditional distribution independently of the input 
distribution (it aborts if any input does not occur often enough), this is 
equivalent to the conditional distribution. 

Lemma 4.23. Let Pxyuv be a probability distribution. Then there exists a 
density matrix a in a Hilbert space % with dim('H) = |^||y||W||V| such that 
measuring a in the standard basis gives the distribution Pxyuv- 



Proof. Associate with each element of the standard basis an out- 

come x, y, u, v. Take a = yjl^^H^I^I Pi |j) (j| where the weights are pt = 

Pxyuv (x,y,u,v). □ 



This implies, that we can use d = \X\\y\\U\\V\ in the above formula de- 
scribing the security of our protocol. We can now state, that the key- 
distribution protocol is secure on any input (not only product). The pro- 
tocol furthermore, reaches essentially the same key rate as in the product 
case. Robustness remains, of course, unchanged. 
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Theorem 4.9. Protocol is e-secure with e <G 0(2 n ) on any input for m > 
n ■ h(S) and s = q ■ n < log 2 -P gU css — m/n. It is e' '-robust on ("P - ") n with 
e" € 0(2-™). 

Proof. This follows directly from Lemma|4]20j using Theorem l4.8l □ 

4.7 The Protocol 

We can apply the generic security proof of Section 14.51 to a specific pro- 
tocol. The implementation of this protocol is similar to [Eke91], i.e., it is 
an entanglement-based quantum key-distribution protocol. By the ana- 
lysis given in Section 1131 it is secure in the device-independent scenario. 
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Figure 4.4: Alice's and Bob's measurement bases in terms of polarization 
used in Protocol |8] 

Protocol 8. 

1. Alice creates n maximally entangled states |^ _ ) = ( 1 01) — \ l0))/\/2, 
and sends one qubit of every state to Bob. 

2. Alice and Bob randomly measure the i th system in either the basis 
uq or u\ (for Alice) or vq, v± or v-i (Bob); the five bases are shown in 
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Figure 14.41 Bob flips his measurement result. They make sure that 
measurements on different subsystems commute. 

3. The measurement results when both measured uq, «2 form the raw 
key. 

4. For the remaining measurements they announce the results over the 
public authenticated channel and estimate the guessing probability 
Pguess and S (see Section |45j}. If the parameters are such that key 
agreement is possible, they continue; otherwise they abort. 

5. They do information reconciliation and privacy amplification as 
given in Sections l4.5.2l and l4.5.3l 



When Alice and Bob use a noisy quantum channel for the above protocol, 
they will not obtain a perfect singlet state. Let us assume that they obtain 
a mixture of the singlet with weight 1 — p and a fully mixed state with 
weight p. The guessing probability for each individual system is then 
given in Figure l4~3l and we give the key rate as function of the parameter 
p in Figure l4~5l 
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Figure 4.5: The key rate of Protocol|8]secure against quantum adversaries 
in the device-independent scenario as function of the channel noise. 
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4.8 Concluding Remarks 

In this chapter, we have shown that secure device-independent quantum 
key distribution is possible even against the most general attacks of the 
eavesdropper, under the additional requirement that the measurements 
of the honest parties on different subsystems must commute. Our secur- 
ity analysis does not use any Hilbert space formalism, only convex optim- 
ization and works for any type of system. 

It is an open question whether the requirement of commuting measure- 
ments is necessary. When basing security only on the (weaker) non-sig- 
nalling condition, the analysis given in Chapter [5] implies that some ad- 
ditional requirement is indeed needed, but this does not imply that the 
same is the case against a (weaker) quantum adversary. If this is pos- 
sible, it would, of course, be interesting to give a security proof of device- 
independent quantum key distribution where both the state and meas- 
urements are completely arbitrary. 

A further open question is to find other systems which are (partially) se- 
cure against quantum adversaries. In particular, it is unknown whether 
there exist systems which are partially secure against quantum adversar- 
ies but completely insecure against non-signalling adversaries (in the con- 
text of key agreement, where we analyse security under public inputs). 
Finally, it would be interesting to see how the key rate of our key-distri- 
bution scheme behaves in the non-asymptotic scenario, i.e., where only 
a finite number of systems are considered and a key of finite length is 
created. 



Chapter 5 



Necessity of the 
Non-Signalling Condition 

5.1 Introduction 

Privacy amplification HBBR88I HLL891 IKMR05I is the technique of apply- 
ing a function to a partially secure string in order to obtain a (shorter) 
highly secure string. It can be used if the adversary holds classical as 
well as when she holds quantum information and might suggest, that the 
same is true against non-signalling adversaries. In Chapter [3J we have 
seen that this is indeed the case if we impose further non-signalling con- 
ditions between the different subsystems. Privacy amplification is then 
even possible using a deterministic function. In this chapter, we will show 
that such an additional non-signalling condition within Alice's and Bob's 
laboratories is necessary, in the sense that without it, no privacy amplific- 
ation is possible. 

We will consider the case where Alice, Bob, and Eve share a system which 
is non-signalling between the three of them (but not between the subsys- 
tems). The system is such that it outputs a partially secure n-bit string 
to Alice and Bob. We then show that, no matter what function Alice and 
Bob apply to this string, they cannot obtain a highly secure bit. Put differ- 
ently, Eve can attack the final key bit directly (without trying to learn the 
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bit string) 

As an example, consider the case where Alice and Bob share n systems, 
each taking one bit input and giving one bit output on both sides and such 
that the outputs are uniform and fulfil P[X@Y — U-V] = 1—e for each in- 
put pair (see Figure 15/Tl l. Note that this system can be expressed as a mix- 
ture of a system with error e' (< e)of weight l—p = 1 — (e — e')/(l/2 — 2e') 
and a completely random bit with weight p = (e — e')/(l/2 — 2e'). It is 
now easy to see that the XOR cannot be used as privacy amplification 
function in this case because of the following attack [CM09[. Eve sends a 
system to Alice and Bob such that the first n—1 bits are just the outputs of 
n — 1 independent systems, i.e., they have exactly error e. The last system 
is created by Eve as a probabilistic mixture of the systems as described 
above. She first tosses a coin such that 'heads' has probability p. In case 
the result is 'heads', Eve chooses the last bit pair such that it corresponds 
to a system with error e' and accepts to know nothing about the XOR. If 
the result is 'tails', she tosses another coin and decides whether the out- 
come of the XOR should be or 1. The system then outputs a random bit 
on Bob's side, and on Alice's side it outputs exactly the bit such that the 
XOR of all outputs corresponds to the result of the coin toss. Obviously, 
with probability p Eve knows the XOR perfectly and this probability is in- 
dependent of the number of systems n Alice and Bob share. Furthermore, 
this attack works both in the non-signalling case (in which case e' = 0), 
as well as in the quantum case (where e' sa 0.15), and it even works when 
signalling is only permitted in the 'forward' direction, i.e., when consid- 
ering an even stronger restriction than what we will consider now. 

The above attack is such that the marginal systems of Alice and Bob are 
exactly as expected. Alternatively, Eve could always send a local system 
such that she knows the outcome of the XOR with certainty. In that case, 
the probability not to get caught is the same as the probability not to get 
caught on a single system. In either scenario, the security only depends 
on the security of a single system and is independent of the total number 
of systems n. 

This already shows that the proof techniques we have used in the previ- 
ous chapters do not carry over to this case. 

1 Maybe this is not so surprising, after all, Eve can delay her measurement and choose 
an attack depending on the hash function Alice and Bob have chosen. It might be more 
surprising that privacy amplification against quantum (or non-signalling) adversaries does 
work in certain cases. 
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Chapter outline The security definition and the eavesdroppers possib- 
ilities to attack are given in Section l5T2l We then give an intuition why pri- 
vacy amplification does not work without an additional non-signalling 
assumptions by describing the system as probabilistic mixture of two 
systems, one of which is completely local. The maximum weight this 
local system can have is the local part and gives a lower bound on the 
adversarial knowledge. In Section [5~4l we show that one or two systems 
have the same local part and that we can, therefore, not hope to create a 
more secret bit by applying a function to the outputs of two systems than 
when considering a single system. 

We then consider an arbitrary number of systems and give a good joint 
attack in Section l5.5.2l In Section l5.6.11 we show that applying the XOR to 
a randomly selected subset of systems (i.e., applying a linear function) is 
actually counter-productive: The more systems are XORed together, the 
better Eve can know the outcome. Finally in Section l5.6.21 we show (again 
using the above attack) that even for arbitrary functions there exists a 
constant lower bound on the adversary's knowledge, and this bound is 
independent of the number of systems. This implies that there does not 
exist any function that can be used to obtain an secure bit, no matter how 
many systems are shared by Alice and Bob. 



Related work The local part has been introduced in the context of quan- 
tum systems in HEPR92I and further studied in HSca08H and HBGS10I . We 
are not aware of any work considering directly the possibility or impossib- 
ility of privacy amplification in this setting. Since a higher violation of the 
CHSH inequality (Section l2.6.11 Example[7J p.l52ll corresponds to more se- 
crecy, the question of privacy amplification is related to the question of 
non-locality distillation, i.e., whether several partially non-local systems 
can be used to obtain a more non-local one. This question has been invest- 
igated and both positive as well as negative answers have been found for 
special systems llEWWu9tlBS09llDWu8ilSho09l . 



Contributions The contributions of this chapter are Lemma 15.51 about 
the local part of 2 systems, the attack of a non-signalling adversary 
against an arbitrary number of systems (Lemma 15.10b and the resulting 
impossibility of privacy amplification in the tripartite non-signalling case, 
given in Lemma 15.111 and Theorem 15.21 The results of this chapter have 
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previously been published in [FHSW09J and IHRW08J. 



5.2 Scenario and Security Criteria 

We study the scenario where Alice and Bob share several approximations 
of PR boxes (see Example 12.91 p.l59ll; more precisely n independent and 
unbiased PR boxes with error e, defined below. 

Definition 5.1. An unbiased PR box with error e is a system Pxy\uvi where 
X=y=U = V — {0, 1}, and for every pair (u, v), X and Y are uniform 
random bits, and 

Pr[X ®Y = u-v] = l-e 

(see also Figure ED . 
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Figure 5.1: An unbiased PR box with error e. 

The system we consider behaves like n systems, but we only require it to 
be non-signalling between Alice and Bob, i.e., two sets of interfaces. This 
means that even though the marginal system of Alice and Bob is actually 
a 2n-party non-signalling system, we only consider it as a 2-party non- 
signalling system which takes an n-bit string as input and gives an n-bit 
string as output on each side. 
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We define a short notation for the bipartite non-signalling system that 
behaves like n unbiased PR boxes with error e. 

Definition 5.2. The system P"xy\uv * s a bipartite non-signalling system 
with X = y= U = V = {0, 1}", such that 

n 

P XY\UV := YiPxtY^UtVi , 
»=1 

and where PxiY^UiVi is an unbiased PR box with error e. 
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Figure 5.2: Alice's and Bob's system looks like n independent systems. 

For an impossibility proof, we can make the assumption that the system 
behaves exactly this way (i.e., Alice and Bob do not need to do parameter 
estimation) and only consider the distance from uniform of Alice's key 
(i.e., they do not do information reconciliation and Bob does not out- 
put anything). Since the distance from uniform of a key string is lower- 
bounded by the distance of each bit, it will be enough to consider the case 
when Alice's key consists of a single bit, and to give a specific (explicit) 
attack which reaches a high distance from uniform of this bit. 

More specifically, we will consider the case where Alice, Bob, and Eve 
share a tripartite non-signalling system such that the marginal of Alice 
and Bob corresponds to n unbiased PR boxes with error e (see Defini- 
tion !5.2l and Figure IBT21 , plus a classical public authenticated channel (see 
Figure l5~3l . Alice applies a (public) function / : {0,1}" — > {0,1} to her 
n-bit string to obtain a single bit. Bob outputs nothing. Eve receives the 
information sent over the channel Q, where Q = (U = u, V = v, F = / jl 



2 As in the previous chapters, lower case letters in Q mean that we consider the distance 
from uniform given this specific value. 
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(we have included the inputs in analogy with the situation in the previ- 
ous chapters, although we will see that for the specific attack we will use, 
it is not necessary to know the inputs). Eve can then choose an input (pos- 
sibly depending on Q) to her interface of the non-signalling system and 
obtains an output. The only restriction hereby, is the following condition. 
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Figure 5.3: Our real system (top). Alice and Bob share a public authentic- 
ated channel and a non-signalling system. The key bit is B = f(X). In 
the ideal system (bottom), the bit B is a perfectly uniform bit unrelated to 
the other parts of the system. 



Condition 3. The system Pxyz\uvw is tripartite non-signalling with 
marginal P X y\uv = Pxy\uv 



The distinguishing advantage between the real and ideal system is the 
distance from uniform of B = f(X) given Z(W n - s ) and Q, denoted by 
d(B\Z(W n - s ), Q). We recall the definition here, see Definition E21 p. EES 
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for more details. 

d(B\Z(W a - s ),Q) = 

i V max y2P z ,Q\w=w(z,q) ■ \P B \z=z.Q=q.w=w(b) - Pu{b)\ ■ 

fc.g z 

The distance from uniform is exactly the advantage Eve has when guess- 
ing the bit B and it, therefore, quantifies the knowledge Eve has about 
the key bit. Obviously, this quantity depends on the system Alice and 
Bob share, Eve's strategy (the non-signalling partition she uses), and the 
information Q sent over the public channel, in particular, the hash func- 
tion / that is applied to the output bits. 

The quantity that we are interested in — the distance from uniform of B 
given Z(W n - s ) and Q — is defined as a maximization over all possible 
non-signalling strategies of Eve. We will sometimes also consider the dis- 
tance from uniform given a specific adversarial strategy, defined as 

d(B\Z(w),Q) = - *£2^Pz,Q\w=w{z,q) ■ \PB\z=z,Q= q ,w=w{b) - Pu(b)\ ■ 

b.q z 

(see Definition l3.31 p. [70] for details). 

Since we will only consider the case when Alice tries to create a single 
secure bit, we can further simplify this expression. 

Lemma 5.1. For the case B = f(X) with f : {0, 1}™ {0, 1} and Q = (U = 

u,V = v,F = f) 

d(B\Z(w),Q) = ~5> 

z w 

where {(p z ™ tPxy\uv^ z ^ are ^ e e ^ emen ^ s °f the non-signalling partition 
defined by w. 



J2(-iy^P z x - Yluv (x,y,u,v) 



Proof. 



d(B\Z(w),Q) = 7;^2 p z,Q\w=w{z,q) 



PB\Z=z,Q=q,W=w{b) - ~ 



J2(-l) f Mp z x - Yluv (x,y,u,v) 



□ 
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d(B\Z(w), Q) — means that the eavesdropper has no knowledge about 
the bit B while d(B\Z(w), Q) = 1/2 corresponds to complete knowledge. 
We will now show that there exists a strategy w such that this distance 
from uniform is high, independent of the number of systems and what 
function / is applied to the output bits. 

5.3 Best Non-Signalling Partition of a Single Sys- 
tem 

In this section, we show that the bound on the distance from uniform of 
the outputs of a bipartite system with binary inputs and outputs derived 
in Lemma 1331 p. [72 is tight. 

Lemma 5.2. Let Pxy\uv be a non-signaling system with X = y = U = V = 
{0, 1} and Y, x ®y=u-v p xy\uv(x, y, u, v)/A = l-s, where e < 1/4. Then for 
Q = (U = u,V = v), there exists a non-signalling partition w such that 

d{X\Z{w),Q) = 2e . 

Proof. The proof is given by the non-signalling partition given in Fig- 
ure 15.41 To see that Figure 15.41 defines a non-signalling partition, notice 
that the parameters a 2 , a 3 , b 2 , b 3 , c 2 , c 3 , d lt d 4 (the ones for which x (By ^ 
u ■ v) fully characterize the non-signalling system. By the normalization 
(Si a i = 1/ an d similar for b, c, and d) and the non-signalling condition 
(ai + a2 = 61 + b 2 , etc.) we can express a\ as 

a\ = - ■ (1 - a 2 - as + b 2 - b 3 - c 2 + c 3 + di - d 4 ) . 

This shows that the right-hand side and left-hand side of the equation are 
indeed equal. Because we assumed 4e < 1, all weights are positive. To 
see that it reaches this distance from uniform, note that with probability 
0-2 — CL3 + &2 — b 3 — c 2 + c 3 + di — d 4 — As, z is such that Pxy\uv 1S l° ca l 
deterministic (i.e., X and Y) are deterministic functions of U and V), in 
which case knowing U = u and V = v, z gives perfect information about 
X. With probability 1 — 4e, z is such that P X y\uv ^ s a ^ ^ ox ' m w hich 
case even knowing U = u and V = v, X is a uniform random bit. □ 
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Figure 5.4: The optimal non-signalling partition of a bipartite system with 
binary inputs and outputs. 



In the above non-signalling partition, with probability 4e, the outcome z 
is such that P X y\uv * s l° ca l deterministic. We define the local part as the 
maximum weight a local system can have in a non-signalling partition. 

Definition 5.3. Let Px\u be an n-party non-signalling system. The local 
part of Px\u is the maximal p such that 

p X \u= P -p^ + {i-p)-p x -\h 

and where P x ^u ^ s an (™"P ar ty) local system and P x ~\u * s an (™-p art y) 
non-signalling system. 



For any bit obtained from the outputs of a non-signalling system, the local 
part is a lower bound on the distance from uniform as seen from a non- 
signalling adversary. 

Lemma 5.3. Let Px\u be a system with local part p. Then for any function 
f : X -> {0, 1} such that B = f(X) and Q = (U = u,F = /), 



d(B\Z(W n _ s ),Q) > l --p 
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Proof. Any local system can be expressed as a convex combination of local 
deterministic systems. A system Px\u with local part p, therefore, has 
a non-signalling partition w such that with probability p, z is such that 
P x \u i s local deterministic. For any local deterministic P x \u' me output 
X and, therefore, also B = f(X) is a deterministic function of U. There- 
fore, 

d(B\Z(W n - s ),Q)>d(B\Z(w),Q) 



b z u 



x:f{x)=b 



Z w X 

1 v-^ x 1 



□ 



local 



Lemma 5.4. T/ze ZocaZ parf of a system Pxy\uv with X = y= U = V = 
{0, 1} and J2 x(B y=u-v p xy\uv(x, y, u, v)/4 = 1 - e w/zere e < 1/4 is 4e. 



Proof. That this value can be reached follows from the non-signalling 
partition given in Figure 15.41 The optimality of this value follows from 
Lemma l5~3l and the bound on the distance from uniform of the bit X given 
in Lemma l3.51 p.l72l □ 



5.4 A Special Case: Two Unbiased PR Boxes with 
Error e 

In the previous section, we have studied the local part of a bipartite sys- 
tem with binary inputs and outputs. In this section, we study the spe- 
cial case of two unbiased PR boxes with error e. We show that the local 
part remains the same as for the case of a single unbiased PR box with 
error e. By Lemma 15.31 this implies directly that privacy amplification 
of the outputs of two systems is impossible, independently of the func- 
tion that is applied. The fact that the local part of several systems can be 
significantly higher than what would be expected when the local part of 
each individual system is analysed could give an intuition why privacy 
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amplification of non-signalling secrecy is impossible also for an arbitrary 
number of systems, as we will see in Section l531 

Lemma 5.5. The local part of Pxy\uv zs 

Proof. The local part of two unbiased PR boxes with error e cannot be 
larger than 4e as this would contradict the fact that 4e is the local part 
of a single PR box with error e. To see that this value can be reached 
we provide an explicit non-signalling partition: With probability 4e — 8e 2 , 
the system is one of the 64 local deterministic strategies which can be 
obtained from the strategy 

mu2 -> xix 2 ■ 00 h-> 00, 01 h-> 00, 10 i — ^ 00, 11 1 — ^ 01 

viv 2 -> ym ■ 00 ^ 00, 01 ^ 00, 10 i — ^ 10, 11 1 — ^ 00 

by depolarization (see Section l4.6.11 p. ll33b . With probability 8e 2 , it is one 
of the 64 local deterministic strategies which can be obtained from 

mu2 -> xix 2 : 00 i — y 00, 01 ^ 00, 10 i — ^ 00, 11 ^ 00 

viv 2 -> yi2/2 : 00 h-> 00, 01 ^ 00, 10 ^ 00, 11 ^ 00 

by depolarization. With probability 1 — As it is two PR boxes (see also 
Figure IS31 . □ 
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Figure 5.5: The local part of two systems is as large as the one of a single 
system. Some of the local deterministic strategies correspond to inde- 
pendent local strategies for each of the two systems, while others are joint 
strategies for the two systems. 

This has direct consequences for the amount of (non-signalling) secrecy 
which can be extracted from the outputs of two unbiased PR boxes with 
error e. In fact, it is not possible to apply a (public) function to the outputs 
of two systems such that the resulting bit is more secret than the output 
of a single system. 
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Lemma 5.6. Assume a system Pxy\vv an ^ Q = = U >V = v > F = f) with 
f: {0,1} 2 ^ {0,1}. Then 

d{f(X)\Z(W n . s ),Q)>2e. 

Proof. This follows directly from Lemmas l5.5l and l531 □ 

The above result also implies, that by applying a function to the inputs 
and outputs of two unbiased PR boxes with error e, it is not possible to 
create an unbiased PR box with error e', where e' < e. This fact was 
already known, even when not restricting the transformations to the ap- 
plication of functions [Sho09J. 

If the local part is large, we know that the distance from uniform of any 
bit we can extract from this system is also large. However, as it has been 
shown in [FHSW09], the local part of n unbiased PR boxes with error e 
behaves as 0(2L"/ 2 J ). If we want to show that the distance from uniform 
of a bit extracted from any number of systems is always high, we, there- 
fore, need to give a different attack than the one determined by the local 
part. 



5.5 Several Systems 

5.5.1 The general optimal attack on a bit 

What is the best attack a non-signalling adversary can do on a single bit 
which is obtained from the outcome of a non-signalling system with pub- 
lic inputs? According to Lemma [330 P-IZZl this corresponds to finding the 
non-signalling partition with two outputs zq and z\ such that for Pxywv 
the bit B is maximally biased towards while for Pxy\uv ^ s max i ma lly 
biased towards 1. This optimization can be expressed as a linear program- 
ming problem. 

Lemma 5.7. Let Pxyz\uvw be a tripartite non-signalling system. The distance 
from uniform of B = f(X) e {0, 1} given Z(W n - s ) and Q := (U — u,V = 
v, F = /) is given by the optimal value of the following optimization problem 
(we drop the index of the probability distribution in the notation). 
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max : — 



(x,y):B=0 (x,y):B=l 



Y P zi {x,y,u,v)- Y P Zl (x,y,u,v] 



(x,y):B=l 



(x,y):B=0 



s.t. Y pZo ( x ' y> U ^ V )~Y pz ° ( x ' y,u',v) = o 

X X 

]T P z ° (x, y, u, v) - Y pZ ° u > u ') = 
v y 

Y pZl («, !/. ^ y ' u ' = 

a y 

p Zl • P Zl (x, y, it, u) > 

p z ° • P z ° (x, y,u,v) + p Zl ■ P Zl (x, y, u, v) = P(x, y, u, v) 
for all x, y, u, u , v, v' . 

Proof. This follows directly from Lemma I3~l9l p.[77|and the definition of a 
tripartite non-signalling system. □ 

Note that when expressed in terms of the variables P' z ° (x, y, u, v) = p z ° ■ 
P z ° (x, y, u, v) and P' Zl (x, y, u, v) — p Zl ■ P Zl (x, y, u, v) this is a linear pro- 
gram. 



5.5.2 A concrete (good) adversarial strategy 

We now describe a special non-signalling partition w of the system 
Px'yiuv w hich gives a large distance from uniform of the key bit B = 
f(X). The non-signalling partition is of the form (see also Figure l5l>t 

p«,s _ 1 pzo I _ p2i 

r XY\UV ~ 2 ' XY\UV "•" 2 ' XY\UV • 
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It will, therefore, be enough to give P^ Y \uv anc ^ to snow mat 



(1/2, Pxy\uv) * s an e l ement °f a non-signalling partition of P 



XY\UV 



p 

r XY\UV 


_ 1 
2 ' 


r XY\UV 
non-signalling 




r XY\UV 
non-signalling 






t 

B biased to 




t 

B biased to 1 



Figure 5.6: The successful attack in the tripartite non-signalling case is 
such that, with probability 1/2, Eve obtains an outcome such that the bit 
B is biased to 0. 

The probabilities P z ° (x, y, u, v) are defined in four cases, according to the 
values of x and y and the properties of the system Pxy\uv- F° r simplicity, 
let us use the following notation: 



y<-=\ V 



^2 p ( x >y' u ' v ) < X! p ( x > y > u ' u ) f ' 

-i/(x)=0 x\f(x)=l ) 

y> := \ y p ( x iy> u ' v )> X! p ( x >y> u i v ) \ > 



x\f(x)=0 x\f(x) = l 

x :={x\f(x) = 0} , 
x 1 :={x\f(x) = l}. 

Definition 5.4. For a given system Pxy\uv and function / : X — > {0, 1}, 
the system P x °y\uv is defined as (see Figure IB~7t 

p xY\uv( x >y' u > v ) := c ( x >y> u > v ) ■ PXY\UV{X,V,U,V) , 

where the factor c(x, y, u, v) is defined as follows. 



For all x 6 xq, y € y<, c(x, y, u, v) := 2 



For all x 6 xi, y G y<, c(a;, y, u, v) := 



^(-l)(/W+i)p(a;,y, u> «) 
E p (x,y,u,v) 

x:f(x) = l 
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For all a; e x ,y e y>, c(x,y,u,v) := 



E P{x,y,u,v) ' 

x:/(x)=0 



For all a; e x\ , y e j/> , c(x, y, tt, w) := . 

Lemma 5.8. For Pxy\uv an< ^ an y f : ^ ~* ■*■}' ^xV|t/v l ' s fl non-signalling 
system. 

Proof. 

For all u, u and y e y< : 

5^P 2o (a:,y,u,w)= ]T 2 • P(ar, y, u, «) (5.1) 

X x:f(x)=0 

+ E - p(w ' u) 

x.Jtxj-l x ':/(x')=l 
x:/(x)=0 x 

= ^ P(a;, - . 

X 

For all u, v and y € y > : 
Y,P~ Z0 {x,y,u,v)= ]T ( 5 - 2 ) 

x x:/(x)=l 

J2P(x',y,u,v) 
+ £ E P(x>y,u, v )- P ^ u ^ 

x:/(x)=0 x , :/(x , )=0 

= ^ ^ P(x, u, u) = . 

x:/(x)=l x:/(x)=0 

For the non-signalling condition in the other direction, note that 

P(x, y, u, v ) = P(x, y , u, w) , 

where the i th bit of y' is defined as y ■ := yi ® Ui ■ {v[ — Vi). Therefore, for 
all x, u, v': 

J2 P"° y, u, v') = J2 pia (*> y'. «. u ) = £ P "° (x ' y ' w ' w) ' 

2/ 2/' ?/ 
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Figure 5.7: The intuition for the construction of Pxyiuv f rom Pxy\uv : 
For each value of y, move as much probability as possible from values 
mapped to 1 to values mapped to 0. 

Finally, the normalization follows directly from ll5.ll and (|5.2b : 

x,y y ^ x ' y 

Lemma 5.9. There exists a non-signalling partition ofP^y\uv w ^ an e ^ emen ^ 
(l/2,PJ' Yluv ). 



Proof. Lemma IBT81 implies that Pxyiuv ^ s a n on-signalling system. The 
criterion for an element of a non-signalling partition is given in Lem- 
ma 13.81 p. [76l which for the case p = 1/2 translates to the constraint 
P z ° (x, y, u, v) < 2P(x, y, u, v), and which is satisfied due to the definition 
of c(x,y,u,v). □ 



Defining the complementary system as P Zl (x, y, u, v) — 2P(x, y, u, v) — 
P Zl (x, y, u, v), we obtain a non-signalling partition of P XY \uv' by 

p xy\uv = \ pSo y> ^ v ) + \ pSl fa y, w > v ) ■ 
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Definition 5.5. The non-signalling partition w of P x 'y\uv ^ s 



We can now calculate the distance from uniform of the bit B = f(X) that 
can be reached by this non-signalling partition. 

Lemma 5.10. Consider the non-signalling system Px'yiuv ^ ne distance from 
uniform of B — f(X) e {0, 1} given Z(w) and Q = (U = u,V = v,F = /) 
is 



d(B\Z(w),Q) 



max < — 



Y P n > s (x,y,u,v)- Y P n ' e &y^v) 

(x,y):f(x)=0 {x,y):f(x) = l 



V lx:/(x)=0 x:f(x) = l 



x,y,u,v) 



Note that the first term in the maximization corresponds to the bias of the 
bit B and the second to the sum over all possible values of y, of the proba- 
bility that given this specific value of y, B is mapped to or 1, whichever 
one of the two is smaller. 



Proof. By Definition |531 

Y P*°(x,y,u,v)- P~ Z0 {x,V,u,v) 

(x : y):f(x)=0 {x,y):f(x) = l 



W Y P n <%x,y,u,v)- Y P n ' e (x,y^,v)\ 

y \x:f(x)=0 x:f(x) = l J 

+ 2^lmin| Y P^(x,y,u,v), Y ^(^2/^^)}) 
y \ lx:f(x)=0 x-.f(x)=l J / 



Assume w.l.o.g. that this quantity is positive, otherwise exchange the role 

of zq and z%. We use P Zl (x, y, u, v) = 2-P n ' £ (x, y, u, v) — P Zl (x, y, u, v) and 
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Lemma [5. II and distinguish two cases: 
If B given z\ is biased towards 1, then 

d(B\Z(w),Q) 



= E min | E P n '%x,y,u,v), ^ P n ^(x,y,u,v)\ 

V lx:/(x)=0 x:f(x) = l ) 

If B given z\ is biased towards 0, then 

d(B\Z(w),Q) = \ J2(-l) f(x) P n - £ ix,y,u,v) . 

Note that B given z\ is biased towards 1 exactly if 



53 53 P n ' e (x,y,u,v)- 53 P n >%x,y,u,v) 

V \x:f(x) = l x:f(x)=0 



2 min 



in< 5Z pn ' e ( x 'y> u > v )' 

53 P"' £ (x,2/,u,«) >0. 

U:/(x)=0 x:/(x)=l J / 

This concludes the proof. □ 

5.6 Impossibility of Privacy Amplification 

5.6.1 For linear functions 

Using the non-signalling partition given in Section 15.5.21 it is now 
straightforward to show that privacy amplification by applying a linear 
function — taking the XOR of some subset of the output bits — is im- 
possible. Moreover, we will show that the more bits we take the XOR 
of, the more Eve can know The non-signalling partition w is such that 
the distance from uniform of the key bit given w is always bigger than e, 
where e is the error of the system. In the limit of large n it is, however, 
even larger and Eve can almost perfectly know Alice's final bit. 

Lemma 5.11. For all linear functions f: {0, 1}™ — > {0, 1}, the distance from 
uniform of the bit B = f(X) given the non-signalling partition w and Q — 
(U = u,V = v,F = /) is larger than e, i.e., d(f(X)\Z(w), Q) > e. 



5.6. Impossibility of Privacy Amplification 



159 




s 



Figure 5.8: The lower bound on the distance from uniform of 0, Xj as 
given by d5-3|> as a function of the number of systems n and the error e. 
Note that the non-trivial region of e is below 1/4. 



Proof. Any function from n bits to 1 bit which is linear in the input bits 
can be expressed as f(X) = (& ieK X i4 Because all values of X are output 
with the same probability, the probability that B = is the same as the 
probability that B = 1. The first term in the maximization (Lemma I5.10|l 
is, therefore, 0. To determine the distance from uniform of B = f{X) 
given the non-signalling partition w, we calculate the value of the second 
term. For each value of y it holds that 

Lf J / \ / , \ n~2i 

n \ I 1 e 



e ^.ui-EL'j ■; (I) 



x:®iXi=Q i=0 



n-2i-l 



x:(BiXi = l i=0 

or with the value of the function flipped. The value of the second expres- 
sion is always smaller than the value of the first one, because both values 
sum up to 1 /2 n and the first one is larger than (1 — e)/2 n , which is at least 
half of the sum for e < 1/2. Therefore, 



d(@X i \z(w),Q)=J2 E 



n 



n-2i-lj \ 2 2 



1 e\ re\ 2i + 1 
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= eV I Jii-r 24 - 1 ^ 1 , (5.3) 

which is larger than e for all n > 1. □ 

This shows that there exists a constant lower bound on the knowledge 
Eve can obtain about the key bit by using this strategy. Furthermore, in 
the limit of large n, the distance from uniform of the bit f(X) — (J)^ Xi 
tends toward 1/2 and Eve can have almost perfect knowledge about 
Alice's output bit, no matter the original error of the system. 



5.6.2 For any hashing 

Let us now turn to the case where / can be any function and does not ne- 
cessarily need to be linear. We will show that even then, privacy amplific- 
ation is not possible. For the proof we will proceed in several steps: First, 
we will show that the distance from uniform of the bit f(X) reached by 
the non-signalling partition w is independent of the input that Alice and 
Bob have given. This will allow us to consider the distance from uniform 
only for the case when the input has been the all-zero input, in which 
case we can express it in terms of the correlations of the output bit strings. 
We will then use a result by Yang |Yan07] on (the impossibility of) non- 
interactive correlation distillation, limiting the correlation of bits which 
can be obtained from a sequence of weakly correlated bits. 

Lemma 5.12. The distance from uniform of the bit f(X) given the non-signal- 
ling partition w defined in Section \5.5.2\ is independent of the values of u and v, 
i.e., d(f(X)\Z(w),Q) = d(f(X)\Z(w), Q'), where Q = (U = u,V = v,F = 
f) and Q' = (F = f). 

Proof. The probability of the output x, y, given input u, v, is the same as 
the probability of output x, y', given the all-zero input, i.e., 

P^,v,u,v) = {l--y •(-)> 

= P n ' e (x,y',0...0,0...0), 
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where we have defined y[ L = yi ® Ui ■ Vi . Because the distance from uni- 
form given the non-signalling partition w (Lemma 15. 10) is obtained by 
summing over all values of y it is independent of the values u, v. □ 

Hence, we only have to find a lower bound on the distance from uniform 
of d(f(X)\Z(w), Q'), where we can assume that the input was the all-zero 
input. Note that the output probabilities given the all-zero input take a 
particularly simple form, more precisely, 

P^ uv (x,y,0... 0,0... 0) •(-) 

where dn(x, y) denotes the Hamming distance between the bit strings x 
and y, i.e., the number of positions where the strings differ. 

We will now show that the distance from uniform reached by the non- 
signalling partition w is related to the correlation of two bits which can be 
obtained from the outputs. First, we need to introduce some definitions. 

Definition 5.6. The correlation cxy between two random bits X and Y is 
the probability for the two bits to be equal, minus the probability for the 
two bits to be different, i.e., 

c XY = P(X =Y) — P(X £ Y) . 

Two equal random bits have correlation 1 and are called completely correl- 
ated, two random bits which are always different have correlation — 1 and 
are called completely anti-correlated. 

Let us further consider the following scenario: Alice has a random ra-bit- 
string X to which she applies a public function / in order to obtain a 
single bit: /: X — > {0, 1}. Bob has a random n-bit-string Y. Each bit of 
Y is correlated with each bit of X and Bob would like to calculate a bit 
g(Y) that is highly correlated with f{X). The best achievable correlation 
isc 7(Y)f(x } = 2E,[max(P(/(A) = 0\g(y)), P(f(X) = l\g{y)))] - 1, and it 
is reached by choosing g(Y) to be (or 1) if f(X) is more likely to be (1) 
given the value of Y. 

Definition 5.7. Assume a random variable X, which is mapped to a bit 
/(X) £ {0, 1}, and a random variable Y with a joint distribution Pxy- 
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The maximum-likelihood function g of f(X) given Y is the function g : Y 
{0, 1} such that 



g{y) = 



if Pr[/(X) = 0\Y = y)> P(f(X) = 1\Y = y] 

1 if Pr[/(X) = 0|y = y) < P(/(X) = l\Y = y]. 



Using these definitions, we can show the key statement for the derivation 
of our result: The amount of information Eve can gain about the key bit 
is proportional to the error in correlation between Alice's and Bob's bits. 

Lemma 5.13. The distance from uniform of f(X) given the non-signalling par- 
tition w and Q = (F = /) is at least {l—Cf( X ) g (Y)) /2, where g is the maximum- 
likelihood function of f(X) given Y, i.e., 

d{f{X)\Z{w),Q)> l -- l --c f{x)g{Y) . 

Proof. 

d(f(X)\Z(w), Q)>^zZ min { £ t 1 - e) n - d ^ ■ s d ^y\ 

y Kx:f(x)=0 

(1 — e )™~ d H(:r,y) . £ d H (x,y) I 
x:f(x) = l ) 

V lx:/(x)=0 



:/0< 
1 



(1 — e )™~ d H(u:,t/) . £ d H (:r,£,) I 
x:f{x) = l ) 

= 1 - E[max(P(/(X) = 0|Y = y),P(f(X) = 1\Y = y))\ . 
v 

The last line is exactly equal to 1/2 — c f(x) g (Y) /2, where g is the maximum- 
likelihood function of f(X) given Y. □ 

This means that unless Bob is able to create a bit which is highly correl- 
ated with Alice's output bit, the adversary can always obtain significant 
information about the key bit. However, we will see now that the only 
way to obtain highly correlated bits is to apply a biased function. 
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The following theorem, proven by Yang [Yan07], shows the trade-off be- 
tween randomness and correlation of two random bits. 

Theorem 5.1 (Non-interactive correlation distillation [ Yan07IO . Let X and 

Y be strings of n uniformly random bits with correlation 1 — 2e. Then the 
maximal correlation that can be reached by locally applying a function f (and g, 
respectively) to then bits is 1 — 2e(l— 4<5 2 ), whereS := max(d(f(X)),d(g(Y))). 

Lemma 15 . 131 implies that if 5 is small, then Eve's knowledge is high. We 
now need to see whether we can lower-bound Eve's knowledge for the 
case of large S. For S to be large, either d(f(X)) or d(g(Y)) needs to be 
large. We first show that if d(f(X)) is large, then so is Eve's knowledge 
about the bit f{X). 

Lemma 5.14. The distance from uniform of f(X) given the non-signalling par- 
tition w and Q = (F = /) is at least d(f(X)), i.e., 

d(f(X)\Z(w),Q)>d(f(X)). 

Proof. 

d{f{X)\Z{w),Q) > I ■ \P(f(X) = 0|0 . . .0) - P(f(X) = 1|0 . . . 0)| 

= d(f(X)). □ 

We have shown that Eve's knowledge about the key bit is high if either the 
output bits are not very correlated or one of the bits is biased. It remains 
to exclude the case that 5 is large because d(f(X)) is small and d(g{Y)) is 
large. However, when the difference between these two values is large, 
the correlation between the two bits cannot be high. 

Lemma 5.15. 

c f(x)g{Y) >l-2\d(g(Y))-d(f(X))\ . 

Proof. 

c f(x)g(Y) =2.Pi[f(X)=g(Y)]-l 

<2.(l-\d(g(Y))-d(f(X))\)-l 

= l-2-\d(g(Y))-d(f(X))\ . □ 
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By Lemma r5.131 this implies directly that when the difference between the 
two distances from uniform is large, then the correlation is low and, there- 
fore, the distance from uniform of the key bit is large. We can connect the 
distance from uniform of the bit f(X) with the value 6. 

Lemma 5.16. The distance from uniform of f(X) given the non-signalling par- 
tition w and Q = (F = f) is at least 5/2, i.e., 

d(f(X)\Z(w),Q)>yS, 

where 8 := max(d(/(X)), d{g(Y)) and g is the maximum-likelihood function 
of f(X) given Y. 

Proof. Lemmas l5. 13115.141 and !5.15l imply that 

d(f(X)\Z(w),Q)>m & x{d(f(X)),\d(g(Y))-d(f(X))\} 
>±-wsx{d(f(X)),d(g(Y))} 

> --S □ 

~ 2 

Now we can put Lemmas 15 . 1 31 to [57161 and Theorem l5. 1 I together to obtain 
a general lower bound on the adversary's knowledge. 

Theorem 5.2. The distance from uniform of f(X) given the non-signalling 
partition w and Q = (F = /), is at least (-1 + %/! + 64e 2 )/(32e), i.e., 



d(.f(X)\Z(w),Q) > — 



Proof. By Theorem E) it hol ds tha t 1/2 - c f{X ),grr)/ 2 ^ £ ( 1 ~ 4 ^)- To- 
gether with Lemmas 15. 13l and l5.161 this implies that 



;2 , 1 ,1 _ -1 + VT+ 64e 2 



d(f(X)\Z(w), Q) > max <j e(l - AS 2 ), - ■ 5\ > y — . □ 



Note that for small e, this lower bound actually takes a value close to 2e; 
while for e close to 1/4, it is still larger than e/2. We obtain a constant 
lower bound (see Fig. l5.9|l depending only on the error e of the individual 
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Figure 5.9: The lower bound on the distance from uniform of the final bit 
as function of the error of the systems e. 

systems and independent of the number of systems n. This implies that 
the distance from uniform can never become negligible in the number n, 
as it should be the case for privacy amplification. 

The above argument further implies that by applying a function to the 
inputs and outputs of any number of unbiased PR boxes with error e, it 
is not possible to create an unbiased PR box with error e' < e/4. 



5.7 Concluding Remarks 

We have shown that when a non-signalling condition holds only between 
Alice, Bob, and Eve, privacy amplification is, in general, not possible 
against non-signalling adversaries. Some sort of additional non-signal- 
ling condition is, therefore, necessary. 

We have also argued that the XOR is not a good privacy amplification 
even if non-signalling is restricted to one direction and in the quantum 
case. It remains an open question, whether a different function could be 
used in these cases. 

The question might arise, whether instead of using a fixed function /, it 
might be useful to choose a random function, i.e., a function chosen from 
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a certain set of functions. For the impossibility result in this chapter, this 
would, however, not help. In fact, a non-signalling adversary always has 
all the possibilities to attack a distribution of a certain marginal. In the 
above argument, it is, therefore, not important what set the function / 
was chosen from, because the eavesdropper can delay the choice of her 
input until the function becomes public. In the quantum case, it is an 
open question, whether functions chosen at random from a certain set 
are strictly stronger than fixed functions. 
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